Export (0) Print
Expand All

2.2.1.1 NEGOTIATE_MESSAGE

The NEGOTIATE_MESSAGE defines an NTLM Negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

Signature

...

MessageType

NegotiateFlags

DomainNameFields

...

WorkstationFields

...

Version

...

Payload (variable)

...

Signature (8 bytes): An 8-byte character array that MUST contain the ASCII string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').

MessageType (4 bytes): A 32-bit unsigned integer that indicates the message type. This field MUST be set to 0x00000001.

 

NegotiateFlags (4 bytes): A NEGOTIATE structure that contains a set of bit flags, as defined in section 2.2.2.5. The client sets flags to indicate options it supports.

DomainNameFields (8 bytes): If the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is set in NegotiateFlags, indicating that a DomainName is supplied in Payload, the fields take the appropriate values documented under the field diagram.

Otherwise, if the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is not set in NegotiateFlags, indicating that no DomainName is supplied in Payload, they take the following values:

  • DomainNameLen and DomainNameMaxLen fields SHOULD be set to zero.

  • DomainNameBufferOffset field SHOULD be set to the offset from the beginning of the NEGOTIATE_MESSAGE to where the DomainName would be in Payload if it was present.

  • DomainNameLen, DomainNameMaxLen, and DomainNameBufferOffset MUST be ignored on receipt.


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

DomainNameLen

DomainNameMaxLen

DomainNameBufferOffset

DomainNameLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of DomainName in Payload.

DomainNameMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of DomainNameLen and MUST be ignored on receipt.

DomainNameBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the NEGOTIATE_MESSAGE to DomainName in Payload.

WorkstationFields (8 bytes): If the NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is set in NegotiateFlags, indicating that a WorkstationName is supplied in Payload, the fields take the appropriate values as documented under the field diagram.

Otherwise, if the NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is not set in NegotiateFlags, indicating that no WorkstationName is supplied in Payload, they take the following values:

  • WorkstationLen and WorkstationMaxLen fields SHOULD be set to zero.

  • WorkstationBufferOffset field SHOULD be set to the offset from the beginning of the NEGOTIATE_MESSAGE to where the WorkstationName would be in Payload if it was present.

  • WorkstationLen, WorkstationMaxLen, and WorkstationBufferOffset MUST be ignored on receipt.


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

WorkstationLen

WorkstationMaxLen

WorkstationBufferOffset

WorkstationLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of WorkStationName in Payload.

WorkstationMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of WorkstationLen and MUST be ignored on receipt.

WorkstationBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the NEGOTIATE_MESSAGE to WorkstationName in Payload.

Version (8 bytes): A VERSION structure (as defined in section 2.2.2.10) that is present only when the NTLMSSP_NEGOTIATE_VERSION flag is set in the NegotiateFlags field. This structure is used for debugging purposes only. In normal (non-debugging) protocol messages, it is ignored and does not affect the NTLM message processing.<5>

Payload (variable): A byte-array that contains the data referred to by the DomainNameBufferOffset and WorkstationBufferOffset message fields. Payload data can be present in any order within the Payload field, with variable-length padding before or after the data. The data that can be present in the Payload field of this message, in no particular order, are:


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

DomainName (variable)

...

WorkstationName (variable)

...

DomainName (variable): If DomainNameLen does not equal 0x0000, DomainName MUST be a byte-array that contains the name of the client authentication domain that MUST be encoded using the OEM character set. Otherwise, this data is not present.<6>

WorkstationName (variable): If WorkstationLen does not equal 0x0000, WorkstationName MUST be a byte array that contains the name of the client machine that MUST be encoded using the OEM character set. Otherwise, this data is not present.

 
Show:
© 2014 Microsoft