3.1.5.1 NTLM Interactive Logon

  • Article

If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6, the account is not also the NTLM server's account, and the APDS server determines that an authentication policy setting ([MS-KILE] section 3.3.5.5) applies:

  • If the account is:

    • A user account object, and the corresponding msDS-UserAllowedToAuthenticateFrom attribute ([MS-ADA2] section 2.492) is populated, APDS SHOULD<12> return STATUS_ACCOUNT_RESTRICTION.

    • A managed Service account object, and the corresponding msDS-ServiceAllowedToAuthenticateFrom ([MS-ADA2] section 2.460) is populated, APDS SHOULD<13> return STATUS_ACCOUNT_RESTRICTION.

For NTLM interactive logons, the NTLM server MAY<14> call NetrLogonSamLogonEx ([MS-NRPC] section 3.5.4.5.1) with the following parameters (set as specified):

  • LogonLevel MUST be NetlogonInteractiveInformation.

  • IF the G flag in NegotiateFlags ([MS-NRPC] section 3.1.4.2) is set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo ([MS-NRPC] section 2.2.1.4.17).

    ELSE IF the Y or T flags are set to FALSE in NegotiateFlags ([MS-NRPC] section 3.1.4.2), the ValidationLevel MUST be NetlogonValidationSamInfo2 ([MS-NRPC] section 2.2.1.4.17).

    ENDIF.

  • IF SealSecureChannel ([MS-NRPC] section 3.1.1) is set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo2 ([MS-NRPC] section 2.2.1.4.17).

    ELSE the ValidationLevel SHOULD<15> be NetlogonValidationSamInfo4 ([MS-NRPC] section 2.2.1.4.17).

    ENDIF.

  • LogonInformation MUST contain a reference to NETLOGON_INTERACTIVE_INFO ([MS-NRPC] section 2.2.1.4.3).

The logon request MUST be sent to the domain controller of the user account domain that has been located.

If the domain controller for the user account is not reachable, but the user domain is one of the trusted domains, the logon MUST fail. If the user domain is not one of the trusted domains, the NTLM server's local account database MUST be used to authenticate the user.

The request that is sent to the user account domain controller MUST contain the NTOWF of the user's password.

The domain controller MUST verify the response to the challenge ([MS-NLMP] section 3.3). If there is a successful match, the domain controller MUST return data with ValidationInformation containing a reference to: 

  • NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section 2.2.1.4.13), if the ValidationLevel in the request is NetlogonValidationSamInfo4.

  • NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 2.2.1.4.12), if the ValidationLevel in the request is NetlogonValidationSamInfo2.

  • NETLOGON_VALIDATION_SAM_INFO ([MS-NRPC] section 2.2.1.4.11), if the ValidationLevel in the request is NetlogonValidationSamInfo.

If there is not a match, the DC SHOULD<16> return the failure error code STATUS_WRONG_PASSWORD (section 2.2) with no response data.