Export (0) Print
Expand All

3.2.5.1.1 Server Receives a NEGOTIATE_MESSAGE from the Client

Upon receipt of the embedded NEGOTIATE_MESSAGE, the server MUST extract and decode the NEGOTIATE_MESSAGE.

If ServerBlock == TRUE, then the server MUST return STATUS_NOT_SUPPORTED.<58>

If the security features selected by the client are not strong enough for the server security policy, the server MUST return an error to the calling application. Otherwise, the server MUST respond with a CHALLENGE_MESSAGE message. This includes the negotiated features and a 64-bit (8-byte) nonce value for the ServerChallenge value. The nonce is a pseudo-random number generated by the server and intended for one-time use. The flags returned as part of the CHALLENGE_MESSAGE in this step indicate which variant the server wants to use and whether the server's domain name or machine name are present in the TargetName field.

If ServerRequire128bitEncryption == TRUE, then if 128-bit encryption is not negotiated then the server MUST return SEC_E_UNSUPPORTED_FUNCTION to the application.

The server processes the NEGOTIATE_MESSAGE and constructs a CHALLENGE_MESSAGE per the following pseudocode where all strings are encoded as RPC_UNICODE_STRING ([MS-DTYP] section 2.3.10).

-- Input:
--   CfgFlg - Defined in section 3.2.1.
--   An NTLM NEGOTIATE_MESSAGE whose message fields are defined in
     section 2.2.1.1.
--
-- Output:
--   An NTLM CHALLENGE_MESSAGE whose message fields are defined in
     section 2.2.1.2.
--
-- Functions used:
--   AddAVPair(), NIL, NONCE - Defined in section 6.

The server SHOULD return only the capabilities it supports. For example, if a newer client requests capability X and the server only supports capabilities A-U, inclusive, then the server does not return capability X. The CHALLENGE_MESSAGENegotiateFlags field SHOULD<59> be set to the following:

  • All the flags set in CfgFlg (section 3.2.1.1)

  • The supported flags requested in the NEGOTIATE_MESSAGE.NegotiateFlags field

  • NTLMSSP_REQUEST_TARGET

  • NTLMSSP_NEGOTIATE_NTLM

  • NTLMSSP_NEGOTIATE_ALWAYS_SIGN

The Signature field MUST be set to the string, "NTLMSSP". The MessageType field MUST be set to 0x00000002, indicating a message type of NtLmChallenge. The ServerChallenge field MUST be set to an 8-byte nonce.

If the NTLMSSP_NEGOTIATE_VERSION flag is set, the Version field MUST be set to the current version (section 2.2.2.10).

If (NTLMSSP_NEGOTIATE_UNICODE is set in NEGOTIATE.NegotiateFlags)
     Set the NTLMSSP_NEGOTIATE_UNICODE flag in
     CHALLENGE_MESSAGE.NegotiateFlags
ElseIf (NTLMSSP_NEGOTIATE_OEM flag is set in NEGOTIATE.NegotiateFlag)
     Set the NTLMSSP_NEGOTIATE_OEM flag in
     CHALLENGE_MESSAGE.NegotiateFlags
EndIf
If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is set in
NEGOTIATE.NegotiateFlags)
     Set the NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag in
     CHALLENGE_MESSAGE.NegotiateFlags
ElseIf (NTLMSSP_NEGOTIATE_LM_KEY flag is set in NEGOTIATE.NegotiateFlag)
     Set the NTLMSSP_NEGOTIATE_LM_KEY flag in
     CHALLENGE_MESSAGE.NegotiateFlags
EndIf
If (Server is domain joined)
      Set CHALLENGE_MESSAGE.TargetName to NbDomainName
      Set the NTLMSSP_TARGET_TYPE_DOMAIN flag in
      CHALLENGE_MESSAGE.NegotiateFlags
Else
      Set CHALLENGE_MESSAGE.TargetName to NbMachineName
      Set the NTLMSSP_TARGET_TYPE_SERVER flag in
      CHALLENGE_MESSAGE.NegotiateFlags
EndIf

Set the NTLMSSP_NEGOTIATE_TARGET_INFO and NTLMSSP_REQUEST_TARGET flags in
CHALLENGE_MESSAGE.NegotiateFlags

If (NbMachineName is not NIL)
     AddAvPair(TargetInfo, MsvAvNbComputerName, NbMachineName)
EndIf
If (NbDomainName is not NIL)
     AddAvPair(TargetInfo, MsvAvNbDomainName, NbDomainName)
EndIf
If (DnsMachineName is not NIL)
     AddAvPair(TargetInfo, MsvAvDnsComputerName, DnsMachineName)
EndIf
If (DnsDomainName is not NIL)
     AddAvPair(TargetInfo, MsvAvDnsDomainName, DnsDomainName)
EndIf
If (DnsForestName is not NIL)
     AddAvPair(TargetInfo, MsvAvDnsTreeName, DnsForestName)EndIfAddAvPair(TargetInfo, MsvAvEOL, NIL)

When this process is complete, the server MUST send the CHALLENGE_MESSAGE to the client, embedded in an application protocol message, and encoded according to that application protocol.

 
Show:
© 2014 Microsoft