Partilhar via


2.2.1.3 AUTHENTICATE_MESSAGE

The AUTHENTICATE_MESSAGE defines an NTLM authenticate message that is sent from the client to the server after the CHALLENGE_MESSAGE (section 2.2.1.2) is processed by the client.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Signature

...

MessageType

LmChallengeResponseFields

...

NtChallengeResponseFields

...

DomainNameFields

...

UserNameFields

...

WorkstationFields

...

EncryptedRandomSessionKeyFields

...

NegotiateFlags

Version

...

MIC (16 bytes)

...

...

Payload (variable)

...

Signature (8 bytes): An 8-byte character array that MUST contain the ASCII string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').

MessageType (4 bytes): A 32-bit unsigned integer that indicates the message type. This field MUST be set to 0x00000003.

LmChallengeResponseFields (8 bytes): A field containing LmChallengeResponse information. The field diagram for LmChallengeResponseFields is as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

LmChallengeResponseLen

LmChallengeResponseMaxLen

LmChallengeResponseBufferOffset

If the client chooses to send an LmChallengeResponse to the server, the fields are set to the following values:

§ LmChallengeResponseLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of LmChallengeResponse in Payload.

§ LmChallengeResponseMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of LmChallengeResponseLen and MUST be ignored on receipt.

§ LmChallengeResponseBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the AUTHENTICATE_MESSAGE to LmChallengeResponse in Payload.

Otherwise, if the client chooses not to send an LmChallengeResponse to the server, the fields take the following values:

  • LmChallengeResponseLen and LmChallengeResponseMaxLen MUST be set to zero on transmission.

  • LmChallengeResponseBufferOffset field SHOULD be set to the offset from the beginning of the AUTHENTICATE_MESSAGE to where the LmChallengeResponse would be in Payload if it was present.

NtChallengeResponseFields (8 bytes): A field containing NtChallengeResponse information. The field diagram for NtChallengeResponseFields is as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

NtChallengeResponseLen

NtChallengeResponseMaxLen

NtChallengeResponseBufferOffset

If the client chooses to send an NtChallengeResponse to the server, the fields are set to the following values:

§ NtChallengeResponseLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of NtChallengeResponse in Payload.

§ NtChallengeResponseMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of NtChallengeResponseLen and MUST be ignored on receipt.

§ NtChallengeResponseBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the AUTHENTICATE_MESSAGE to NtChallengeResponse in Payload.<10>

Otherwise, if the client chooses not to send an NtChallengeResponse to the server, the fields take the following values:

  • NtChallengeResponseLen, and NtChallengeResponseMaxLen MUST be set to zero on transmission.

  • NtChallengeResponseBufferOffset field SHOULD be set to the offset from the beginning of the AUTHENTICATE_MESSAGE to where the NtChallengeResponse would be in Payload if it was present.

DomainNameFields (8 bytes): A field containing DomainName information. The field diagram for DomainNameFields is as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

DomainNameLen

DomainNameMaxLen

DomainNameBufferOffset

If the client chooses to send a DomainName to the server, the fields are set to the following values:

§ DomainNameLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of DomainName in Payload.

§ DomainNameMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of DomainNameLen and MUST be ignored on receipt.

§ DomainNameBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the AUTHENTICATE_MESSAGE to DomainName in Payload. If DomainName is a Unicode string, the values of DomainNameBufferOffset and DomainNameLen MUST be multiples of 2.

Otherwise, if the client chooses not to send a DomainName to the server, the fields take the following values:

  • DomainNameLen and DomainNameMaxLen MUST be set to zero on transmission.

  • DomainNameBufferOffset field SHOULD be set to the offset from the beginning of the AUTHENTICATE_MESSAGE to where the DomainName would be in Payload if it was present.

UserNameFields (8 bytes): A field containing UserName information. The field diagram for the UserNameFields is as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

UserNameLen

UserNameMaxLen

UserNameBufferOffset

If the client chooses to send a UserName to the server, the fields are set to the following values:

§ UserNameLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of UserName in Payload, not including a NULL terminator.

§ UserNameMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of UserNameLen and MUST be ignored on receipt.

§ UserNameBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the AUTHENTICATE_MESSAGE to UserName in Payload. If the UserName to be sent contains a Unicode string, the values of UserNameBufferOffset and UserNameLen MUST be multiples of 2.

Otherwise, if the client chooses not to send a UserName to the server, the fields take the following values:

  • UserNameLen and UserNameMaxLen MUST be set to zero on transmission.

  • UserNameBufferOffset field SHOULD be set to the offset from the beginning of the AUTHENTICATE_MESSAGE to where the UserName would be in Payload if it were present.

WorkstationFields (8 bytes): A field containing Workstation information. The field diagram for the WorkstationFields is as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

WorkstationLen

WorkstationMaxLen

WorkstationBufferOffset

If the client chooses to send a Workstation to the server, the fields are set to the following values:

§ WorkstationLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of Workstation in Payload.

§ WorkstationMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of WorkstationLen and MUST be ignored on receipt.

§ WorkstationBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the AUTHENTICATE_MESSAGE to Workstation in Payload. If Workstation contains a Unicode string, the values of WorkstationBufferOffset and WorkstationLen MUST be multiples of 2.

Othewise, if the client chooses not to send a Workstation to the server, the fields take the following values:

  • WorkstationLen and WorkstationMaxLen MUST be set to zero on transmission.

  • WorkstationBufferOffset field SHOULD be set to the offset from the beginning of the AUTHENTICATE_MESSAGE to where the Workstation would be in Payload if it was present.

EncryptedRandomSessionKeyFields (8 bytes): A field containing EncryptedRandomSessionKey information. The field diagram for EncryptedRandomSessionKeyFields is as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

EncryptedRandomSessionKeyLen

EncryptedRandomSessionKeyMaxLen

EncryptedRandomSessionKeyBufferOffset

If the NTLMSSP_NEGOTIATE_KEY_EXCH flag is set in NegotiateFlags, indicating that an EncryptedRandomSessionKey is supplied, the fields are set to the following values:

§ EncryptedRandomSessionKeyLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of EncryptedRandomSessionKey in Payload.

§ EncryptedRandomSessionKeyMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of EncryptedRandomSessionKeyLen and MUST be ignored on receipt.

§ EncryptedRandomSessionKeyBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the AUTHENTICATE_MESSAGE to EncryptedRandomSessionKey in Payload.

Otherwise, if the NTLMSSP_NEGOTIATE_KEY_EXCH flag is not set in NegotiateFlags, indicating that an EncryptedRandomSessionKey is not supplied, the fields take the following values, and must be ignored upon receipt:

  • EncryptedRandomSessionKeyLen and EncryptedRandomSessionKeyMaxLen SHOULD be set to zero on transmission.

  • EncryptedRandomSessionKeyBufferOffset field SHOULD be set to the offset from the beginning of the AUTHENTICATE_MESSAGE to where the EncryptedRandomSessionKey would be in Payload if it was present.

NegotiateFlags (4 bytes): In connectionless mode, a NEGOTIATE structure that contains a set of flags (section 2.2.2.5) and represents the conclusion of negotiation—the choices the client has made from the options the server offered in the CHALLENGE_MESSAGE. In connection-oriented mode, a NEGOTIATE structure (section 2.2.2.5) that contains the set of bit flags negotiated in the previous messages.

Version (8 bytes): A VERSION structure (section 2.2.2.10) that SHOULD be populated only when the NTLMSSP_NEGOTIATE_VERSION flag is set in the NegotiateFlags field; otherwise, it MUST be set to all zero. This structure is used for debugging purposes only. In normal protocol messages, it is ignored and does not affect the NTLM message processing.<11>

MIC (16 bytes): The message integrity for the NTLM NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE, and AUTHENTICATE_MESSAGE.<12>

Payload (variable): A byte array that contains the data referred to by the LmChallengeResponseBufferOffset, NtChallengeResponseBufferOffset, DomainNameBufferOffset, UserNameBufferOffset, WorkstationBufferOffset, and EncryptedRandomSessionKeyBufferOffset message fields. Payload data can be present in any order within the Payload field, with variable-length padding before or after the data. The data that can be present in the Payload field of this message, in no particular order, are:


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

LmChallengeResponse (variable)

...

NtChallengeResponse (variable)

...

DomainName (variable)

...

UserName (variable)

...

Workstation (variable)

...

EncryptedRandomSessionKey (variable)

...

LmChallengeResponse (variable): An LM_RESPONSE structure (section 2.2.2.3) or an LMv2_RESPONSE structure (section 2.2.2.4) that contains the computed LM response to the challenge. If NTLM v2 authentication is configured, then LmChallengeResponse MUST be an LMv2_RESPONSE structure. Otherwise, it MUST be an LM_RESPONSE structure.

NtChallengeResponse (variable): An NTLM_RESPONSE structure (section 2.2.2.6) or NTLMv2_RESPONSE structure (section 2.2.2.8) that contains the computed NT response to the challenge. If NTLM v2 authentication is configured, NtChallengeResponse MUST be an NTLMv2_RESPONSE. Otherwise, it MUST be an NTLM_RESPONSE.

DomainName (variable): The domain or computer name hosting the user account. DomainName MUST be encoded in the negotiated character set.

UserName (variable): The name of the user to be authenticated. UserName MUST be encoded in the negotiated character set.

Workstation (variable): The name of the computer to which the user is logged on. Workstation MUST be encoded in the negotiated character set.

EncryptedRandomSessionKey (variable):  The client's encrypted random session key. EncryptedRandomSessionKey and its usage are defined in sections 3.1.5 and 3.2.5.