3.1.5.2 NTLM Network Logon

  • Article

If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6, the account is not also the NTLM server's account, and the APDS server determines that an authentication policy setting ([MS-KILE] section 3.3.5.5) applies:

  1. If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is < 7, the msDS-UserAllowedNTLMNetworkAuthentication and msDS-ServiceAllowedNTLMNetworkAuthentication attributes ([MS-ADA2] section 2.491 and [MS-ADA2] section 2.459, respectively) SHOULD<17> be treated as set to FALSE.

  2. If a user account object, and if the corresponding msDS-UserAllowedToAuthenticateFrom ([MS-ADA2] section 2.492) is populated and msDS-UserAllowedNTLMNetworkAuthentication is set to FALSE, APDS MUST return STATUS_ACCOUNT_RESTRICTION.

  3. If a managed Service account object, and if the corresponding msDS-ServiceAllowedToAuthenticateFrom ([MS-ADA2] section 2.460) is populated and msDS-ServiceAllowedNTLMNetworkAuthentication is set to FALSE, APDS MUST return STATUS_ACCOUNT_RESTRICTION.

For NTLM network logons, the NTLM server MAY<18> call NetrLogonSamLogonEx ([MS-NRPC] section 3.5.4.5.1) with the following parameters (set as specified):

  • LogonLevel MUST be NetlogonNetworkInformation.

  • IF the G flag in NegotiateFlags ([MS-NRPC] section 3.1.4.2) is set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo ([MS-NRPC] section 2.2.1.4.17).

    ELSE IF the Y or T flags in NegotiateFlags ([MS-NRPC] section 3.1.4.2) are set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo2 ([MS-NRPC] section 2.2.1.4.17).

    ENDIF.

  • IF SealSecureChannel ([MS-NRPC] section 3.1.1) is set to FALSE, the ValidationLevel MUST be NetlogonValidationSamInfo2 ([MS-NRPC] section 2.2.1.4.17).

    ELSE the ValidationLevel SHOULD<19> be NetlogonValidationSamInfo4 ([MS-NRPC] section 2.2.1.4.17).

    ENDIF.

  • LogonInformation MUST contain a reference to NETLOGON_NETWORK_INFO ([MS-NRPC] section 2.2.1.4.5).

  • Set the E and K bits of LogonInformation.LogonNetwork.Identity.ParameterControl.<20>

  • The following algorithm is used for authentication from the server to the DC:

    IF (NTLMSSP_NEGOTIATE_ENHANCED_SESSION_SECURITY and NtResponseLength == 24 and LmResponseLength >= 8)

    • NetlogonNetworkInformation.LmChallenge = MD5(Concatenate(ChallengeToClient, LmResponse[0..7]))[0..7]

    ELSE

    • NetlogonNetworkInformation.LmChallenge = ChallengeToClient

    END

The DC of the server's domain MUST be located ([MS-NRPC] section 3.5.4.3) and the request sent to it. This request MUST contain the NTLM challenge-response pair that was exchanged between the NTLM server and the client ([MS-NLMP] sections 2.2.1.2 and 2.2.1.3).

The DC verifies the response to the challenge either as defined in [MS-NLMP] section 3.3 or by using a subauthentication package (section 3.1.5.2.1).

If the account is a computer account, the subauthentication package is not verified, and the K bit of LogonInformation.LogonNetwork.Identity.ParameterControl is not set, then return STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.<21>

If the account is a domain controller computer account, the subauthentication package is not verified, and the E bit of LogonInformation.LogonNetwork.Identity.ParameterControl is not set, return STATUS_NOLOGON_SERVER_TRUST_ACCOUNT.

For NTLMv2 authentication [MS-NLMP], the DC MUST verify that the request originated from the NTLM server that generated the challenge:

  1. The DC extracts the MsvAvNbComputerName and MsvAvNbDomainName AV pairs ([MS-NLMP] section 2.2.2.1) from the NTLMv2_CLIENT_CHALLENGE ([MS-NLMP] section 2.2.2.7) of the AUTHENTICATE_MESSAGE ([MS-NLMP] section 2.2.1.3).

  2. If MsvAvNbDomainName does not match the NetBIOS name of the DC's domain, then return STATUS_LOGON_FAILURE (section 2.2).

  3. If MsvAvNbComputerName does not match the NetBIOS name of the server that established the secure channel ([MS-NRPC] section 3.5.4.4.2), then return STATUS_LOGON_FAILURE.

If there is a match, the DC MUST return data with ValidationInformation containing a reference to NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section 2.2.1.4.13, if the ValidationLevel in the request is NetlogonValidationSamInfo4) or a reference to NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 2.2.1.4.12, if the ValidationLevel in the request is NetlogonValidationSamInfo2) or a reference to NETLOGON_VALIDATION_SAM_INFO ([MS-NRPC] section 2.2.1.4.11, if the ValidationLevel in the request is NetlogonValidationSamInfo). If there is not a match, the DC MUST return a failure error code STATUS_LOGON_FAILURE with no response data.<22>