Export (0) Print
Expand All

7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3: Only Windows NT clients initiate requests for the LM version of the protocol. All Microsoft Windows servers still accept it if properly configured.

<2> Section 1.3.1: It is possible, with the Windows implementation of connectionless NTLM, for messages protected by NTLM session security to precede the completion of the established NTLM session, but such message orderings do not occur in practice.

<3> Section 1.4: When authenticating a domain account with NTLM, Windows uses Netlogon ([MS-APDS]) to have the DC take the challenge and the client's response, and validate the user authentication against the DC's user database.

<4> Section 1.6: Windows applications that use Negotiate ([MS-SPNG]) may authenticate via NTLM if Kerberos is not available. Authenticating via NTLM would occur if either the client or server are down-level (running Windows NT 4.0 or earlier) systems, if the server is not joined to a domain, if the application is using a remote procedure call (RPC) interface that uses NTLM directly, or if the administrator has not configured Kerberos properly. An implementer who wants to support these scenarios in which Kerberos does not work would need to implement NTLM.

<5> Section 2.2.1.1: The Version field is NOT sent or accessed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after WorkstationBufferOffset. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages with Version fields.

<6> Section 2.2.1.1: The code page mapping the OEM character set to Unicode is configurable via HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\Nls\Codepage\OEMCP, which is a DWORD that contains the assigned number of the code page.

<7> Section 2.2.1.2: The Version field is NOT sent or accessed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after TargetInfoBufferOffset. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages with Version fields.

<8> Section 2.2.1.3: Although the protocol allows authentication to succeed if the client provides either LmChallengeResponse or NtChallengeResponse, Windows implementations provide both.

<9> Section 2.2.1.3: The Version field is NOT sent or consumed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after NegotiateFlags. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages constructed with Version fields.

<10> Section 2.2.1.3: The MIC field is omitted in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<11> Section 2.2.2.1: MsvAvDnsTreeName AV_PAIR type is not supported in Windows NT and Windows 2000.

<12> Section 2.2.2.1: MsvAvFlags AV_PAIR type is not supported in Windows NT and Windows 2000.

<13> Section 2.2.2.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<14> Section 2.2.2.1: MsvAvTimestamp AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<15> Section 2.2.2.1: MsvAvSingleHost AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<16> Section 2.2.2.1: MsvAvTargetName AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<17> Section 2.2.2.1: MsvChannelBindings AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<18> Section 2.2.2.2: No version of Windows processes this field when sent on the wire.

<19> Section 2.2.2.2: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not create or send the CustomData field. The CustomData field is not processed when sent on the wire.

<20> Section 2.2.2.2: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not create or send the MachineID. The MachineID is not processed when sent on the wire.

<21> Section 2.2.2.5: Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 support only 128-bit session key negotiation by default; therefore this bit is always be set.

<22> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_VERSION flag is not supported in Windows NT and Windows 2000. This flag is used for debug purposes only.

<23> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is not set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client in Windows NT Server 4.0 SP3.

<24> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is not supported in Windows NT and Windows 2000.

<25> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is not supported in Windows NT and Windows 2000.

<26> Section 2.2.2.5: Windows sends this bit for anonymous connections, but a Windows-based NTLM server does not use this bit when establishing the session.

<27> Section 2.2.2.5: Windows NTLM clients can set this bit. No versions of Windows NTLM servers support it, so this bit is never used.

<28> Section 2.2.2.10: NTLMSSP_NEGOTIATE_VERSION cannot be negotiated in Windows NT, Windows 2000, and Windows XP SP1.

<29> Section 2.2.2.10: For Windows XP SP2 and Windows Server 2003, the value of this field is WINDOWS_MAJOR_VERSION_5. For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 the value of this field is WINDOWS_MAJOR_VERSION_6.

<30> Section 2.2.2.10: For Windows Vista and Windows Server 2008, the value of this field is WINDOWS_MINOR_VERSION_0. For Windows XP SP2, Windows 7, and Windows Server 2008 R2, the value of this field is WINDOWS_MINOR_VERSION_1. For Windows Server 2003, Windows 8, and Windows Server 2012, the value of this field is WINDOWS_MINOR_VERSION_2. For Windows 8.1 and Windows Server 2012 R2, the value of this field is WINDOWS_MINOR_VERSION_3.

<31> Section 3.1.1.1: The default value of this state variable is TRUE. Windows NT Server 4.0 SP3 does not support providing NTLM instead of LM responses.

<32> Section 3.1.1.1: The default value of this state variable is FALSE. ClientBlocked is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<33> Section 3.1.1.1: The default value of this state variable is NULL. ClientBlockExceptions is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<34> Section 3.1.1.1: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 this variable is set to FALSE. In Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, this variable is set to TRUE.

<35> Section 3.1.1.1: In Windows NT 4.0 and Windows 2000, the maximum lifetime for the challenge is 30 minutes. In Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, the maximum lifetime is 36 hours.

<36> Section 3.1.1.2: Windows exposes these logical parameters to applications through the SSPI interface on Windows.

<37> Section 3.1.1.2: ClientSuppliedTargetName is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<38> Section 3.1.1.2: ClientChannelBindingsUnhashed is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<39> Section 3.1.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<40> Section 3.1.4: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<41> Section 3.1.5.1.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<42> Section 3.1.5.1.2: Not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<43> Section 3.1.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<44> Section 3.1.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<45> Section 3.1.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<46> Section 3.1.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<47> Section 3.1.5.2: Connectionless is not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2.

<48> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<49> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<50> Section 3.1.5.2.1: Not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<51> Section 3.1.5.2.1: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<52> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<53> Section 3.1.5.2.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<54> Section 3.2.1.1: The default value of this state variable is FALSE. ServerBlock is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008.

<55> Section 3.2.1.1: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 this variable is set to FALSE. In Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 this variable is set to TRUE.

<56> Section 3.2.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<57> Section 3.2.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<58> Section 3.2.5.1.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<59> Section 3.2.5.1.1: Windows NT will set NTLMSSP_NEGOTIATE_TARGET_INFO only if NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is set. Windows 2000, Windows XP, and Windows Server 2003 will set NTLMSSP_NEGOTIATE_TARGET_INFO only if NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY or NTLMSSP_REQUEST_TARGET is set.

<60> Section 3.2.5.1.2: ServerBlock is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<61> Section 3.2.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<62> Section 3.2.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<63> Section 3.2.5.1.2: MIC fields are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<64> Section 3.2.5.1.2: Supported by Windows NT, Windows 2000 and Windows XP.

<65> Section 3.2.5.2: Connectionless NTLM is not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<66> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<67> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<68> Section 3.2.5.2.2: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<69> Section 3.2.5.2.2: Supported by Windows NT, Windows 2000 and Windows XP.

<70> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<71> Section 3.2.5.2.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<72> Section 3.3.1: If the client sends a domain that is unknown to the server, the server tries to perform the authentication against the local database.

<73> Section 3.3.2: If the client sends a domain that is unknown to the server, the server tries to perform the authentication against the local database.

<74> Section 5.1: NTLM domain considerations are as follows:

Microsoft DCs determine the minimum security requirements for NTLM authentication between a Windows client and the local Windows domain. Based on the minimum security settings in place, the DC can either allow or refuse the use of LM, NTLM, or NTLM v2 authentication, and servers can force the use of extended session security on all messages between the client and server. In a Windows domain, the DC controls domain level security settings through the use of Windows Group Policy, which replicates security policies to clients and servers throughout the local domain.

Domain-level security policies dictated by Windows Group Policy must be supported on the local system for authentication to take place. During NTLM authentication, clients and servers exchange NTLM capability flags that specify what levels of security they are able to support. If either the client or server's level of security support is less than the security policies of the domain, the authentication attempt is refused by the computer with the higher level of minimum security requirements. This is important for interdomain authentication where differing security policies may be enforced on either domain, and the client or server may not be able to support the security policies of the other's domain.

NTLM security levels are as follows:

The security policies exchanged by the server and client can be set independently of the DC minimum security requirements dictated by Windows Group Policy. Higher local security policies can be exchanged by a client and server in a domain with low minimum security requirements in connection-oriented authentication during the capability flags exchange. However, during connectionless (datagram-oriented) authentication, it is not possible to exchange higher local security policies because they are strictly enforced by Windows Group Policy. Local security policies that are set independently of the DC are subordinate to domain-level security policies for clients authenticating to a server on the local domain; therefore, it is not possible to use local-system policies that are less secure than domain-level policies.

Stand-alone servers that do not have a DC to authenticate clients set their own minimum security requirements.

NTLM security levels determine the minimum security settings allowed on a client, server, or DC to authenticate in an NTLM domain. The security levels cannot be modified in Windows NT 4.0 SP3 by setting this registry key to one of the following security level values.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
LMCompatibilityLevel

Security-level descriptions:

0: Server sends LM and NTLM response and never uses extended session security. Clients use LM and NTLM authentication, and never use extended session security. DCs accept LM, NTLM, and NTLM v2 authentication.

1: Servers use NTLM v2 session security if it is negotiated. Clients use LM and NTLM authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.

2: Server sends NTLM response only. Clients use only NTLM authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.

3: Server sends NTLM v2 response only. Clients use NTLM v2 authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.

4: DCs refuse LM responses. Clients use NTLM authentication and use extended session security if the server supports it. DCs refuse LM authentication but accept NTLM and NTLM v2 authentication.

5: DCs refuse LM and NTLM responses, and accept only NTLM v2. Clients use NTLM v2 authentication and use extended session security if the server supports it. DCs refuse NTLM and LM authentication, and accept only NTLM v2 authentication.

 
Show:
© 2014 Microsoft