NegotiateStream

As SDK states, using NegotiateStream, you can do the following.

• Send the client's credentials to the server for Impersonation or Delegation.
• Request server authentication.
• Encrypt and/or sign data before transmitting it.

If you want CIA protection, the client must first call AuthenticateAsClient and the server must call AuthenticateAsServer. Both calls block. If you miss one on one side, then you are not able to use NegotiateStream on this side and the other side is blocked. As Keith Brown points out, these functions map down to SSPI's InitializeSecurityContext and AcceptSecurityContext, and basically implement an authenticated key exchange using a protocol called SPNEGO, which stands for "secure, protected negotiation."

The client should also specify a service princpal name (SPN) if its wants to use Kerberos.