Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

2.2.1.2 CHALLENGE_MESSAGE

The CHALLENGE_MESSAGE defines an NTLM challenge message that is sent from the server to the client. The CHALLENGE_MESSAGE is used by the server to challenge the client to prove its identity. For connection-oriented requests, the CHALLENGE_MESSAGE generated by the server is in response to the NEGOTIATE_MESSAGE (section 2.2.1.1) from the client.


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

Signature

...

MessageType

TargetNameFields

...

NegotiateFlags

ServerChallenge

...

Reserved

...

TargetInfoFields

...

Version

...

Payload (variable)

...

Signature (8 bytes): An 8-byte character array that MUST contain the ASCII string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').

MessageType (4 bytes): A 32-bit unsigned integer that indicates the message type. This field MUST be set to 0x00000002.

 

TargetNameFields (8 bytes): If the NTLMSSP_REQUEST_TARGET flag is not set in NegotiateFlags, indicating that no TargetName is required:

  • TargetNameLen and TargetNameMaxLen SHOULD be set to zero on transmission.

  • TargetNameBufferOffset field SHOULD be set to the offset from the beginning of the CHALLENGE_MESSAGE to where the TargetName would be in Payload if it were present.

  • TargetNameLen, TargetNameMaxLen, and TargetNameBufferOffset MUST be ignored on receipt.

Otherwise, these fields are defined as:


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

TargetNameLen

TargetNameMaxLen

TargetNameBufferOffset

TargetNameLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of TargetName in Payload.

TargetNameMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of TargetNameLen and MUST be ignored on receipt.

TargetNameBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the CHALLENGE_MESSAGE to TargetName in Payload. If TargetName is a Unicode string, the values of TargetNameBufferOffset and TargetNameLen MUST be multiples of 2.

NegotiateFlags (4 bytes): A NEGOTIATE structure that contains a set of bit flags, as defined by section 2.2.2.5. The server sets flags to indicate options it supports or, if there has been a NEGOTIATE_MESSAGE (section 2.2.1.1), the choices it has made from the options offered by the client.

ServerChallenge (8 bytes): A 64-bit value that contains the NTLM challenge. The challenge is a 64-bit nonce. The processing of the ServerChallenge is specified in sections 3.1.5 and 3.2.5.

Reserved (8 bytes): An 8-byte array whose elements MUST be zero when sent and MUST be ignored on receipt.

 

TargetInfoFields (8 bytes): If the NTLMSSP_NEGOTIATE_TARGET_INFO flag of NegotiateFlags is clear, indicating that no TargetInfo is required:

  • TargetInfoLen and TargetInfoMaxLen SHOULD be set to zero on transmission.

  • TargetInfoBufferOffset field SHOULD be set to the offset from the beginning of the CHALLENGE_MESSAGE to where the TargetInfo would be in Payload if it were present.

  • TargetInfoLen, TargetInfoMaxLen, and TargetInfoBufferOffset MUST be ignored on receipt.

Otherwise, these fields are defined as:


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

TargetInfoLen

TargetInfoMaxLen

TargetInfoBufferOffset

TargetInfoLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of TargetInfo in Payload.

TargetInfoMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of TargetInfoLen and MUST be ignored on receipt.

TargetInfoBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the CHALLENGE_MESSAGE to TargetInfo in Payload.

Version (8 bytes): A VERSION structure (as defined in section 2.2.2.10) that is present only when the NTLMSSP_NEGOTIATE_VERSION flag is set in the NegotiateFlags field. This structure is used for debugging purposes only. In normal (non-debugging) protocol messages, it is ignored and does not affect the NTLM message processing.<7>

Payload (variable): A byte array that contains the data referred to by the TargetNameBufferOffset and TargetInfoBufferOffset message fields. Payload data can be present in any order within the Payload field, with variable-length padding before or after the data. The data that can be present in the Payload field of this message, in no particular order, are:


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

TargetName (variable)

...

TargetInfo (variable)

...

TargetName (variable): If TargetNameLen does not equal 0x0000, TargetName MUST be a byte array that contains the name of the server authentication realm, and MUST be expressed in the negotiated character set. A server that is a member of a domain returns the domain of which it is a member, and a server that is not a member of a domain returns the server name.

TargetInfo (variable): If TargetInfoLen does not equal 0x0000, TargetInfo MUST be a byte array that contains a sequence of AV_PAIR structures. The AV_PAIR structure is defined in section 2.2.2.1. The length of each AV_PAIR is determined by its AvLen field (plus 4 bytes).

Note  An AV_PAIR structure can start on any byte alignment and the sequence of AV_PAIRs has no padding between structures.

The sequence MUST be terminated by an AV_PAIR structure with an AvId field of MsvAvEOL. The total length of the TargetInfo byte array is the sum of the lengths, in bytes, of the AV_PAIR structures it contains.

Note  If a TargetInfo AV_PAIR Value is textual, it MUST be encoded in Unicode irrespective of what character set was negotiated (section 2.2.2.1).

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.