3.2.5.1.1 Server Receives a NEGOTIATE_MESSAGE from the Client
Upon receipt of the embedded NEGOTIATE_MESSAGE, the server MUST extract and decode the NEGOTIATE_MESSAGE.
If ServerBlock == TRUE, then the server MUST return STATUS_NOT_SUPPORTED ([MS-ERREF] section 2.3.1).<63>
If the security features selected by the client are not strong enough for the server security policy, the server MUST return an error to the calling application. Otherwise, the server MUST respond with a CHALLENGE_MESSAGE message. This includes the negotiated features and a 64-bit (8-byte) nonce value for the ServerChallenge value. The nonce is a pseudo-random number generated by the server and intended for one-time use. The flags returned as part of the CHALLENGE_MESSAGE in this step indicate which variant the server wants to use and whether the server's domain name or machine name are present in the TargetName field.
If ServerRequire128bitEncryption == TRUE, then if 128-bit encryption is not negotiated then the server MUST return SEC_E_UNSUPPORTED_FUNCTION ([MS-ERREF] section 2.1.1) to the application.
The server processes the NEGOTIATE_MESSAGE and constructs a CHALLENGE_MESSAGE per the following pseudocode where all strings are encoded as RPC_UNICODE_STRING ([MS-DTYP] section 2.3.10).
-
-- Input: -- CfgFlg - Defined in section 3.2.1. -- An NTLM NEGOTIATE_MESSAGE whose message fields are defined in section 2.2.1.1. -- -- Output: -- An NTLM CHALLENGE_MESSAGE whose message fields are defined in section 2.2.1.2. -- -- Functions used: -- AddAVPair(), NIL, NONCE - Defined in section 6.
The server SHOULD return only the capabilities it supports. For example, if a newer client requests capability X and the server only supports capabilities A-U, inclusive, then the server does not return capability X. The CHALLENGE_MESSAGE NegotiateFlags field SHOULD<64> be set to the following:
All the flags set in CfgFlg (section 3.2.1.1)
The supported flags requested in the NEGOTIATE_MESSAGE.NegotiateFlags field
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
The Signature field MUST be set to the string, "NTLMSSP". The MessageType field MUST be set to 0x00000002, indicating a message type of NtLmChallenge. The ServerChallenge field MUST be set to an 8-byte nonce.
If the NTLMSSP_NEGOTIATE_VERSION flag is set, the Version field MUST be set to the current version (section 2.2.2.10).
-
If (NTLMSSP_NEGOTIATE_UNICODE is set in NEGOTIATE.NegotiateFlags) Set the NTLMSSP_NEGOTIATE_UNICODE flag in CHALLENGE_MESSAGE.NegotiateFlags ElseIf (NTLMSSP_NEGOTIATE_OEM flag is set in NEGOTIATE.NegotiateFlag) Set the NTLMSSP_NEGOTIATE_OEM flag in CHALLENGE_MESSAGE.NegotiateFlags EndIf If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag is set in NEGOTIATE.NegotiateFlags) Set the NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag in CHALLENGE_MESSAGE.NegotiateFlags ElseIf (NTLMSSP_NEGOTIATE_LM_KEY flag is set in NEGOTIATE.NegotiateFlag) Set the NTLMSSP_NEGOTIATE_LM_KEY flag in CHALLENGE_MESSAGE.NegotiateFlags EndIf If (Server is domain joined) Set CHALLENGE_MESSAGE.TargetName to NbDomainName Set the NTLMSSP_TARGET_TYPE_DOMAIN flag in CHALLENGE_MESSAGE.NegotiateFlags Else Set CHALLENGE_MESSAGE.TargetName to NbMachineName Set the NTLMSSP_TARGET_TYPE_SERVER flag in CHALLENGE_MESSAGE.NegotiateFlags EndIf Set the NTLMSSP_NEGOTIATE_TARGET_INFO and NTLMSSP_REQUEST_TARGET flags in CHALLENGE_MESSAGE.NegotiateFlags If (NbMachineName is not NIL) AddAvPair(TargetInfo, MsvAvNbComputerName, NbMachineName) EndIf If (NbDomainName is not NIL) AddAvPair(TargetInfo, MsvAvNbDomainName, NbDomainName) EndIf If (DnsMachineName is not NIL) AddAvPair(TargetInfo, MsvAvDnsComputerName, DnsMachineName) EndIf If (DnsDomainName is not NIL) AddAvPair(TargetInfo, MsvAvDnsDomainName, DnsDomainName) EndIf If (DnsForestName is not NIL) AddAvPair(TargetInfo, MsvAvDnsTreeName, DnsForestName) EndIf AddAvPair(TargetInfo, MsvAvEOL, NIL)
When this process is complete, the server MUST send the CHALLENGE_MESSAGE to the client, embedded in an application protocol message, and encoded according to that application protocol.