Export (0) Print
Expand All

3.1.5 Message Processing Events and Sequencing Rules

NTLM logon is a stateless protocol with request-response semantics.

The NTLM server SHOULD call the NetrLogonSamLogonEx method<8> ([MS-NRPC] section 3.5.4.5.1) with the parameters defined in the following sections. Based on the account name supplied, a domain controller (DC) for the domain MUST be located ([MS-ADTS] section 6.3.6). The NTLM server MUST establish a connection with the DC ([MS-NRPC] section 3.1.4.6). The NTLM server SHOULD invoke the NetrLogonSamLogonEx method ([MS-NRPC] section 3.5.4.5.1).<9>

If NTLMServerDomainBlocked == TRUE, then the NTLM server MUST return STATUS_NTLM_BLOCKED to the NTLM client.<10>

If the DC is of the resource domain,

  • If ResourceDCBlocked == TRUE, and the NTLM server's name is not equal to any of the DCBlockExceptions server names, then the DC MUST return STATUS_NTLM_BLOCKED.<11>

If the DC is of the account domain,

  • If AccountDCBlocked == TRUE, then the APDS server MUST return STATUS_NTLM_BLOCKED.<12>

  • If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6, the account is not also the NTLM server's account, and the APDS server determines that an authentication policy setting ([MS-KILE] section 3.3.5.5) applies, then:

    • If the account is:

      • A user account object, and the corresponding msDS-UserAllowedToAuthenticateFrom ([MS-ADA2] section 2.457) is populated, then the APDS MUST return STATUS_ACCOUNT_RESTRICTION.<13>

      • A managed Service account object, and the corresponding msDS-ServiceAllowedToAuthenticateFrom ([MS-ADA2] section 2.432) is populated, then the APDS MUST return STATUS_ACCOUNT_RESTRICTION.<14>

    • If AllowedToAuthenticateTo is not NULL, an access check is performed to determine whether the user has the ACTRL_DS_CONTROL_ACCESS right against the AllowedToAuthenticateTo. If the access check fails the APDS MUST return STATUS_AUTHENTICATION_FIREWALL_FAILED.<15>

The DC MUST verify the account access status. If the account is not valid for logon, the APDS server will return one of the following errors:

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) D flag is set to TRUE, the APDS server SHOULD return STATUS_ACCOUNT_DISABLED.

  • If the AccountExpires attribute ([MS-ADA1] section 2.1) is set to a value that is in the past, the APDS server SHOULD return STATUS_ACCOUNT_EXPIRED.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) L flag is set to TRUE, the APDS server SHOULD return STATUS_ACCOUNT_LOCKED_OUT.

  • If the current time is not within logonHours attribute ([MS-ADA1] section 2.376), the APDS server SHOULD return STATUS_INVALID_LOGON_HOURS.

  • If PasswordMustChange, which is generated with the same method as the SAM ([MS-SAMR] section 3.1.5.14.4), is set to a value that is in the past, then the APDS server SHOULD return STATUS_PASSWORD_EXPIRED.

  • If PasswordMustChange, which is generated with the same method as the SAM ([MS-SAMR] section 3.1.5.14.4), is zero, then the APDS server SHOULD return STATUS_PASSWORD_MUST_CHANGE.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) SR flag is set to TRUE, because this is a password-based logon, the APDS server SHOULD return STATUS_SMARTCARD_LOGON_REQUIRED.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) ID flag is set to TRUE, the APDS server SHOULD return STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) WT flag is set to TRUE, the APDS server SHOULD return STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) ST flag is set to TRUE, the APDS server SHOULD return STATUS_NOLOGON_SERVER_TRUST_ACCOUNT.

An APDS server implementation MAY choose to send more descriptive error codes (as in the case above). However, the NTLM server MUST treat any error returned by the DC as a logon failure.

The DC SHOULD attempt to validate the request, increment LogonAttempts, and if successful, SHOULD proceed to authenticate the user. If validation is unsuccessful, the DC MUST return an error. The role of the DC in the NTLM authentication sequence is specified in [MS-NLMP] section 3.3.

Upon successful validation,

  • If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6 and the user is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4), then the APDS MUST return STATUS_ACCOUNT_RESTRICTION.<16>

  • Otherwise, the user account's DC MUST send the domain global groups and universal groups (that the user is a member of) to the server's DC, and MUST follow the trust path that was used to contact the user's account DC ([MS-NRPC] section 3.5.4.5.1).

When the trust crossed in the trust path has the TRUST_ATTRIBUTE_CROSS_ORGANIZATION ([MS-LSAD] section 2.2.7.9) set, the DC MUST add the OTHER_ORGANIZATIONSID ([MS-DTYP] Section 2.4.2.4) to the user's groups.

When a user has the OTHER_ORGANIZATION SID, the server domain DC MUST perform an access check where:

  • The security descriptor MUST contain the ACL granting the client user ACTRL_DS_CONTROL_ACCESS ([MS-SAMR] section 2.2.1.17) to the server computer's AD account object.

If the access check fails, the DC MUST reject the authentication request and return STATUS_AUTHENTICATION_FIREWALL_FAILED. The server domain DC also MUST add the domain local groups, and then send the entire list of groups to the NTLM server to be used for authorization decisions.

For NTLM server implementations that use an authorization model that is based on a security identifier (SID), the server SHOULD populate the User SID and Security Group SIDs in the ImpersonationAccessToken (section 3.1.1) as follows:

The server SHOULD call GatherGroupMembershipForSystem ([MS-DTYP] section 2.5.2.1.1), where InitialMembership contains the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.Sids array to FinalMembership.

The server SHOULD call AddPrivilegesToToken ([MS-DTYP] section 2.5.2.1.2), where Token contains ImpersonationAccessToken.

Other SID structures may be added to ImpersonationAccessToken following authentication (see [MS-DTYP] section 2.7.1).

 
Show:
© 2014 Microsoft