3.2.1.2 NTLM Subsystem Interaction
During the inside_authentication state, the POP3 server invokes the NTLM subsystem as specified in [MS-NLMP] section 3.1.1. The NTLM protocol is used with the following options:
The negotiation is a connection-oriented NTLM negotiation.
None of the flags specified in [MS-NLMP] section 3.1.1 are passed to NTLM.
The following is a description of how POP3 uses NTLM. For further details, see [MS-NLMP] section 3.1.1, which describes the data model and sequencing of NTLM packets in greater detail:
The server, on receiving the NTLM NEGOTIATE_MESSAGE packet, passes it to the NTLM subsystem and is returned the NTLM CHALLENGE_MESSAGE packet, if NTLM NEGOTIATE_MESSAGE was valid.
Subsequently, the exchange of NTLM messages goes on as defined by the NTLM protocol, with the POP3 server encapsulating the NTLM messages returned by NTLM before sending them to the client.
When the NTLM protocol completes authentication, either successfully or unsuccessfully, the NTLM subsystem notifies POP3:
On successful completion, the server MUST exit the inside_authentication state and enter the completed_authentication state and send the POP3_AUTH_NTLM_Succeeded_Response to the client. On receiving this message, the client MUST also transition to the completed_authentication state.
If a failure occurs due to an incorrect password error, as described in [MS-NLMP] section 3.3.1 and 3.3.2, the server SHOULD enter the completed_authentication state and send the client a POP3_AUTH_NTLM_Fail_Response message.
If a failure occurs on the server due to any reason other than the incorrect password error, the server enters the completed_authentication state and sends the client a POP3_AUTH_NTLM_Fail_Response message. On receiving this message, the client MUST enter the completed_authentication state.