3.1.5.2 NTLM Network Logon
If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6, the account is not also the NTLM server's account, and the APDS server determines that an authentication policy setting ([MS-KILE] section 3.3.5.5) applies:
If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is < 7, the msDS-UserAllowedNTLMNetworkAuthentication and msDS-ServiceAllowedNTLMNetworkAuthentication attributes ([MS-ADA2] section 2.499 and [MS-ADA2] section 2.464, respectively) SHOULD<17> be treated as set to FALSE.
If a user account object, and if the corresponding msDS-UserAllowedToAuthenticateFrom ([MS-ADA2] section 2.500) is populated and msDS-UserAllowedNTLMNetworkAuthentication is set to FALSE, APDS MUST return STATUS_ACCOUNT_RESTRICTION.
If a managed Service account object, and if the corresponding msDS-ServiceAllowedToAuthenticateFrom ([MS-ADA2] section 2.465) is populated and msDS-ServiceAllowedNTLMNetworkAuthentication is set to FALSE, APDS MUST return STATUS_ACCOUNT_RESTRICTION.
For NTLM network logons, the NTLM server MAY<18> call NetrLogonSamLogonEx ([MS-NRPC] section 3.5.4.5.1) with the following parameters (set as specified):
LogonLevel MUST be NetlogonNetworkInformation.
IF the G flag in NegotiateFlags ([MS-NRPC] section 3.1.4.2) is set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo ([MS-NRPC] section 2.2.1.4.17).
ELSE IF the Y or T flags in NegotiateFlags ([MS-NRPC] section 3.1.4.2) are set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo2 ([MS-NRPC] section 2.2.1.4.17).
ENDIF.
IF SealSecureChannel ([MS-NRPC] section 3.1.1) is set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo2 ([MS-NRPC] section 2.2.1.4.17).
ELSE the ValidationLevel SHOULD<19> be NetlogonValidationSamInfo4 ([MS-NRPC] section 2.2.1.4.17).
ENDIF.
LogonInformation MUST contain a reference to NETLOGON_NETWORK_INFO ([MS-NRPC] section 2.2.1.4.5).
Set the E and K bits of LogonInformation.LogonNetwork.Identity.ParameterControl.<20>
The following algorithm is used for authentication from the server to the DC:
IF (NTLMSSP_NEGOTIATE_ENHANCED_SESSION_SECURITY and NtResponseLength == 24 and LmResponseLength >= 8)
NetlogonNetworkInformation.LmChallenge = MD5(Concatenate(ChallengeToClient, LmResponse[0..7]))[0..7]
ELSE
NetlogonNetworkInformation.LmChallenge = ChallengeToClient
END
The DC of the server's domain MUST be located ([MS-NRPC] section 3.5.4.3) and the request sent to it. This request MUST contain the NTLM challenge-response pair that was exchanged between the NTLM server and the client ([MS-NLMP] sections 2.2.1.2 and 2.2.1.3).
The DC verifies the response to the challenge either as defined in [MS-NLMP] section 3.3 or by using a subauthentication package (section 3.1.5.2.1).
If the account is a computer account, the subauthentication package is not verified, and the K bit of LogonInformation.LogonNetwork.Identity.ParameterControl is not set, then return STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.<21>
If the account is a domain controller computer account, the subauthentication package is not verified, and the E bit of LogonInformation.LogonNetwork.Identity.ParameterControl is not set, return STATUS_NOLOGON_SERVER_TRUST_ACCOUNT.
If the account has the userWorkstations attribute populated ([MS-ADA3] section 2.353), the DC MUST verify that the workstation name in the NTLM header ([MS-NLMP] section 2.2.1.3) matches one of the workstations listed in the attribute. If not, the DC MUST deny the authentication and return STATUS_INVALID_WORKSTATION. If the userWorkstations attribute is not populated, the DC ignores this check.
For NTLMv2 authentication [MS-NLMP], the DC MUST verify that the request originated from the NTLM server that generated the challenge:
The DC extracts the MsvAvNbComputerName and MsvAvNbDomainName AV pairs ([MS-NLMP] section 2.2.2.1) from the NTLMv2_CLIENT_CHALLENGE ([MS-NLMP] section 2.2.2.7) of the AUTHENTICATE_MESSAGE ([MS-NLMP] section 2.2.1.3).
If MsvAvNbDomainName does not match the NetBIOS name of the DC's domain, then return STATUS_LOGON_FAILURE (section 2.2).
If MsvAvNbComputerName does not match the NetBIOS name of the server that established the secure channel ([MS-NRPC] section 3.5.4.4.2), then return STATUS_LOGON_FAILURE.
If there is a match, the DC MUST return data with ValidationInformation containing a reference to NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section 2.2.1.4.13, if the ValidationLevel in the request is NetlogonValidationSamInfo4) or a reference to NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 2.2.1.4.12, if the ValidationLevel in the request is NetlogonValidationSamInfo2) or a reference to NETLOGON_VALIDATION_SAM_INFO ([MS-NRPC] section 2.2.1.4.11, if the ValidationLevel in the request is NetlogonValidationSamInfo). If there is not a match, the DC MUST return a failure error code STATUS_LOGON_FAILURE with no response data.<22>