I too think the algorithm is not the same since I implemented the RPC using the same algorithm (cred_session_key() and cred_create(zerotime)) but got 0xC0000022. This was with a flags value of 0x0007FFFF. However, the PDC returns STATUS_SUCCESS if flags = 0x000001FF. So the flags field seems to be significant.
Strangely though, if I don't align after the challenge and push a 0x006B006B (or 0x0000006B) before the neg_flags (= 0x0007FFFF), I could get it to work. I am not claiming that the preceding statement was very logical :-)) but it would be great if someone could verify it and at least disprove it. Vijay -----Original Message----- From: Luke Howard [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 12:56 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: unknown RPC opcodes during join+logon >The return code always follows the last top-level [out] value, but there >is an additional [out] ULONG in NetrServerAuthenticate3. > >The algorithm for calculating credentials is the same. Actually, I'm no longer sure this is the case. It seems that the algorithm for NetrServerAuthenticate3 is the same if the client thinks the domain is an NT4 domain (in which case it talks to it over SMB), but it looks like the algorithm is different in a Windows 2000 domain (where the RPC is made over ncacn_ip_tcp), as unlikely as this seems (given they are the same RPC). Note that the flags are ostensibly irrelevant, because the client sends the authenticator before it receives the flags from the server. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com