Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

Note: Some of the information in this section is subject to change because it applies to an unreleased, preliminary version of the Windows Server operating system, and thus may differ from the final version of the server software when released. All behavior notes that pertain to the unreleased, preliminary version of the Windows Server operating system contain specific references to Windows Server 2016 Technical Preview as an aid to the reader.

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 Technical Preview operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3: Only Windows NT clients initiate requests for the LM version of the protocol. All Microsoft Windows servers still accept it if properly configured.

<2> Section 1.3.1: It is possible, with the Windows implementation of connectionless NTLM, for messages protected by NTLM session security to precede the completion of the established NTLM session, but such message orderings do not occur in practice.

<3> Section 1.4: When authenticating a domain account with NTLM, Windows uses Netlogon ([MS-APDS]) to have the DC take the challenge and the client's response, and validate the user authentication against the DC's user database.

<4> Section 1.6: Windows applications that use Negotiate ([MS-SPNG]) may authenticate via NTLM if Kerberos is not available. Authenticating via NTLM would occur if either the client or server are down-level (running Windows NT 4.0 operating system or earlier) systems, if the server is not joined to a domain, if the application is using a remote procedure call (RPC) interface that uses NTLM directly, or if the administrator has not configured Kerberos properly. An implementer who wants to support these scenarios in which Kerberos does not work would need to implement NTLM.

<5> Section 2.2.1.1: The Version field is NOT sent or accessed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after WorkstationBufferOffset. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages with Version fields.

<6> Section 2.2.1.1: The code page mapping the OEM character set to Unicode is configurable via HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\Nls\Codepage\OEMCP, which is a DWORD that contains the assigned number of the code page.

<7> Section 2.2.1.2: The Version field is NOT sent or accessed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after TargetInfoBufferOffset. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages with Version fields.

<8> Section 2.2.1.3: Although the protocol allows authentication to succeed if the client provides either LmChallengeResponse or NtChallengeResponse, Windows implementations provide both.

<9> Section 2.2.1.3: The Version field is NOT sent or consumed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after NegotiateFlags. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages constructed with Version fields.

<10> Section 2.2.1.3:  The MIC field is omitted in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<11> Section 2.2.2.1: MsvAvDnsTreeName AV_PAIR type is not supported in Windows NT and Windows 2000.

<12> Section 2.2.2.1: MsvAvFlags AV_PAIR type is not supported in Windows NT and Windows 2000.

<13> Section 2.2.2.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<14> Section 2.2.2.1: MsvAvTimestamp AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<15> Section 2.2.2.1: MsvAvSingleHost AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<16> Section 2.2.2.1: MsvAvTargetName AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<17> Section 2.2.2.1: MsvChannelBindings AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

<18> Section 2.2.2.2: No version of Windows processes this field when sent on the wire.

<19> Section 2.2.2.2: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not create or send the CustomData field. The CustomData field is not processed when sent on the wire.

<20> Section 2.2.2.2: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not create or send the MachineID. The MachineID is not processed when sent on the wire.

<21> Section 2.2.2.5: Windows 7 and subsequent versions of Windows, according to the applicability list at the beginning of this section, support only 128-bit session key negotiation by default; therefore this bit is always set.

<22> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_VERSION flag is not supported in Windows NT and Windows 2000. This flag is used for debug purposes only.

<23> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is not set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client in Windows NT Server 4.0 operating system Service Pack 3 (SP3).

<24> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is not supported in Windows NT and Windows 2000.

<25> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is not supported in Windows NT and Windows 2000.

<26> Section 2.2.2.5: Windows sends this bit for anonymous connections, but a Windows-based NTLM server does not use this bit when establishing the session.

<27> Section 2.2.2.5: Windows NTLM clients can set this bit. No versions of Windows NTLM servers support it, so this bit is never used.

<28> Section 2.2.2.7:  In some situations, Microsoft Windows adds bytes to the end of the variable-length section. These bytes are considered to be part of the NTLMv2_CLIENT_CHALLENGE structure, but have no defined contents.

<29> Section 2.2.2.10: NTLMSSP_NEGOTIATE_VERSION cannot be negotiated in Windows NT, Windows 2000, and Windows XP operating system Service Pack 1 (SP1).

<30> Section 2.2.2.10: The values of the ProductMajorVersion and ProductMinorVersion fields have changed over time. The following table shows the values of these fields for each applicable product.

Product

ProductMajorVersion

ProductMinorVersion

Windows XP operating system Service Pack 2 (SP2)

WINDOWS_MAJOR_VERSION_5

WINDOWS_MINOR_VERSION_1

Windows Server 2003

WINDOWS_MAJOR_VERSION_5

WINDOWS_MINOR_VERSION_2

Windows Vista

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_0

Windows Server 2008

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_0

Windows 7

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_1

Windows Server 2008 R2

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_1

Windows 8

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_2

Windows Server 2012 operating system

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_2

Windows 8.1

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_3

Windows Server 2012 R2

WINDOWS_MAJOR_VERSION_6

WINDOWS_MINOR_VERSION_3

Windows 10

WINDOWS_MAJOR_VERSION_10

WINDOWS_MINOR_VERSION_0

Windows Server 2016 Technical Preview

WINDOWS_MAJOR_VERSION_10

WINDOWS_MINOR_VERSION_0

<31> Section 3.1.1.1: The default value of this state variable is TRUE. Windows NT Server 4.0 SP3 does not support providing NTLM instead of LM responses.

<32> Section 3.1.1.1: The default value of this state variable is FALSE. ClientBlocked is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<33> Section 3.1.1.1: The default value of this state variable is NULL. ClientBlockExceptions is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<34> Section 3.1.1.1: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, this variable is set to FALSE. In Windows 7 and subsequent versions of Windows, according to the applicability list at the beginning of this section, this variable is set to TRUE.

<35> Section 3.1.1.1: In Windows NT 4.0 and Windows 2000, the maximum lifetime for the challenge is 30 minutes. In Windows XP and subsequent versions of Windows, according to the applicability list at the beginning of this section, the maximum lifetime is 36 hours.

<36> Section 3.1.1.2: Windows exposes these logical parameters to applications through the SSPI interface on Windows.

<37> Section 3.1.1.2: ClientSuppliedTargetName is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<38> Section 3.1.1.2: ClientChannelBindingsUnhashed is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<39> Section 3.1.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<40> Section 3.1.4: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<41> Section 3.1.5.1.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<42> Section 3.1.5.1.2: Not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<43> Section 3.1.5.1.2: This functionality is not supported in Windows NT and Windows 2000.

<44> Section 3.1.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<45> Section 3.1.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<46> Section 3.1.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<47> Section 3.1.5.2: Connectionless NTLM is supported only in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<48> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<49> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<50> Section 3.1.5.2.1: Not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<51> Section 3.1.5.2.1: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<52> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<53> Section 3.1.5.2.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<54> Section 3.2.1.1: The default value of this state variable is FALSE. ServerBlock is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008.

<55> Section 3.2.1.1: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, this variable is set to FALSE. In Windows 7 and subsequent versions of Windows, according to the applicability list at the beginning of this section, this variable is set to TRUE.

<56> Section 3.2.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<57> Section 3.2.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<58> Section 3.2.5.1.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<59> Section 3.2.5.1.1: Windows NT will set NTLMSSP_NEGOTIATE_TARGET_INFO only if NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is set. Windows 2000, Windows XP, and Windows Server 2003 will set NTLMSSP_NEGOTIATE_TARGET_INFO  only if NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY or NTLMSSP_REQUEST_TARGET is set.

<60> Section 3.2.5.1.2: ServerBlock is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<61> Section 3.2.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<62> Section 3.2.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<63> Section 3.2.5.1.2: MIC fields are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<64> Section 3.2.5.1.2: Supported by Windows NT, Windows 2000, and Windows XP.

<65> Section 3.2.5.2: Connectionless NTLM is supported only in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<66> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<67> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<68> Section 3.2.5.2.2: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

<69> Section 3.2.5.2.2: Supported by Windows NT, Windows 2000 and Windows XP.

<70> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

<71> Section 3.2.5.2.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

<72> Section 3.3.1: If the client sends a domain that is unknown to the server, the server tries to perform the authentication against the local database.

<73> Section 3.3.2: If the client sends a domain that is unknown to the server, the server tries to perform the authentication against the local database.

<74> Section 5.1: NTLM domain considerations are as follows:

Microsoft DCs determine the minimum security requirements for NTLM authentication between a Windows client and the local Windows domain. Based on the minimum security settings in place, the DC can either allow or refuse the use of LM, NTLM, or NTLM v2 authentication, and servers can force the use of extended session security on all messages between the client and server. In a Windows domain, the DC controls domain level security settings through the use of Windows Group Policy, which replicates security policies to clients and servers throughout the local domain.

Domain-level security policies dictated by Windows Group Policy must be supported on the local system for authentication to take place. During NTLM authentication, clients and servers exchange NTLM capability flags that specify what levels of security they are able to support. If either the client or server's level of security support is less than the security policies of the domain, the authentication attempt is refused by the computer with the higher level of minimum security requirements. This is important for interdomain authentication where differing security policies may be enforced on either domain, and the client or server may not be able to support the security policies of the other's domain.

NTLM security levels are as follows:

The security policies exchanged by the server and client can be set independently of the DC minimum security requirements dictated by Windows Group Policy. Higher local security policies can be exchanged by a client and server in a domain with low minimum security requirements in connection-oriented authentication during the capability flags exchange. However, during connectionless (datagram-oriented) authentication, it is not possible to exchange higher local security policies because they are strictly enforced by Windows Group Policy. Local security policies that are set independently of the DC are subordinate to domain-level security policies for clients authenticating to a server on the local domain; therefore, it is not possible to use local-system policies that are less secure than domain-level policies.

Stand-alone servers that do not have a DC to authenticate clients set their own minimum security requirements.

NTLM security levels determine the minimum security settings allowed on a client, server, or DC to authenticate in an NTLM domain. The security levels cannot be modified in Windows NT 4.0 operating system Service Pack 3 (SP3) by setting this registry key to one of the following security level values.

 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
 LMCompatibilityLevel

Security-level descriptions:

0: Server sends LM and NTLM response and never uses extended session security. Clients use LM and NTLM authentication, and never use extended session security. DCs accept LM, NTLM, and NTLM v2 authentication.

1: Servers use NTLM v2 session security if it is negotiated. Clients use LM and NTLM authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.

2: Server sends NTLM response only. Clients use only NTLM authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.

3: Server sends NTLM v2 response only. Clients use NTLM v2 authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.

4: DCs refuse LM responses. Clients use NTLM authentication and use extended session security if the server supports it. DCs refuse LM authentication but accept NTLM and NTLM v2 authentication.

5: DCs refuse LM and NTLM responses, and accept only NTLM v2. Clients use NTLM v2 authentication and use extended session security if the server supports it. DCs refuse NTLM and LM authentication, and accept only NTLM v2 authentication.

Show:
© 2015 Microsoft