3.2.4.1 Generic Pass-Through

When using the NetrLogonSamLogon method, as specified in section 3.5.4.5.3, or the NetrLogonSamLogonEx method, as specified in section 3.5.4.5.1, for generic pass-through, the following requirements MUST be met:

• The LogonLevel parameter is 4 (NetlogonGenericInformation), as specified in section 2.2.1.4.16.

• The ValidationLevel parameter is 5 (NetlogonValidationGenericInfo2), as specified in section 2.2.1.4.14.

The LogonInformation parameter is NETLOGON_GENERIC_INFO structure, as specified in section 2.2.1.4.2.

• NETLOGON_GENERIC_INFO.PackageName is "Kerberos" ([MS-APDS] section 3.2.5.3) or "WDigest" ([MS-APDS] section 3.3.5.1).

Protocols that use Netlogon for generic pass-through will also include opaque Binary Large Objects (BLOBs) that comprise their respective message data. These BLOBs are passed in the LogonData field of the NETLOGON_GENERIC_INFO structure, with the size of the data specified in the DataLength field. The BLOB is passed from one system's Netlogon component to the other system's component over the wire. Netlogon will then pass the opaque BLOB to the security package specified in the PackageName field.

The NETLOGON_LOGON_IDENTITY_INFO structure (as specified in section 2.2.1.4.15) inside the NETLOGON_GENERIC_INFO structure (as specified in section 2.2.1.4.2) MUST:

• Contain the LogonDomainName.

• Ensure that the rest of the NETLOGON_LOGON_IDENTITY_INFO fields are zeroed out.

The response is sent by the domain controller via the ValidationInformation parameter, which points to a pointer to the NETLOGON_VALIDATION_GENERIC_INFO2 structure (section 2.2.1.4.8).

See [MS-APDS] for a specification of how NTLM, Kerberos, and Digest authentication packages use the Netlogon secure channel.