3.1.5 Message Processing Events and Sequencing Rules

NTLM logon is a stateless protocol with request-response semantics.

The NTLM server MAY<6> call the NetrLogonSamLogonEx method ([MS-NRPC] section 3.5.4.5.1) with the parameters defined in the following sections. Based on the account name supplied, a domain controller (DC) for the domain MUST be located ([MS-ADTS] section 6.3.6). The NTLM server MUST establish a connection with the DC ([MS-NRPC] section 3.1.4.6). The NTLM server SHOULD invoke the NetrLogonSamLogonEx method ([MS-NRPC] section 3.5.4.5.1).

If NTLMServerDomainBlocked == TRUE, the NTLM server SHOULD<7> return STATUS_NTLM_BLOCKED to the NTLM client.

If the DC is of the resource domain:

  • If ResourceDCBlocked == TRUE, and the NTLM server's name is not equal to any of the DCBlockExceptions server names, the DC SHOULD<8> return STATUS_NTLM_BLOCKED.

If the DC is of the account domain:

  • If AccountDCBlocked == TRUE, the APDS server SHOULD<9> return STATUS_NTLM_BLOCKED.

  • If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6, the account is not also the NTLM server's account, and the APDS server determines that an authentication policy setting ([MS-KILE] section 3.3.5.5) applies, then:

    • If AllowedToAuthenticateTo is not NULL, an access check SHOULD<10> be performed to determine whether the user has the ACL granting ACTRL_DS_CONTROL_ACCESS ([MS-SAMR] section 2.2.1.17). If the access check fails, APDS MUST return STATUS_AUTHENTICATION_FIREWALL_FAILED.

The DC MUST verify the account access status. If the account is not valid for logon, the APDS server returns one of the following errors:

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) D flag is set to TRUE, the APDS server returns STATUS_ACCOUNT_DISABLED.

  • If the AccountExpires attribute ([MS-ADA1] section 2.1) is set to a value that is in the past, the APDS server returns STATUS_ACCOUNT_EXPIRED.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) L flag is set to TRUE, the APDS server returns STATUS_ACCOUNT_LOCKED_OUT.

  • If the current time is not within logonHours attribute ([MS-ADA1] section 2.376), the APDS server returns STATUS_INVALID_LOGON_HOURS.

  • If PasswordMustChange, which is generated with the same method as specified in [MS-SAMR] section 3.1.5.14.4, is set to a value that is in the past, the APDS server returns STATUS_PASSWORD_EXPIRED.

  • If PasswordMustChange, ([MS-SAMR] section 3.1.5.14.4), is zero, the APDS server returns STATUS_PASSWORD_MUST_CHANGE.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) SR flag is set to TRUE, because this is a password-based logon, the APDS server returns STATUS_SMARTCARD_LOGON_REQUIRED.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) ID flag is set to TRUE, the APDS server returns STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) WT flag is set to TRUE, the APDS server returns STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.

  • If the userAccountControl attribute ([MS-ADTS] section 2.2.16) ST flag is set to TRUE, the APDS server returns STATUS_NOLOGON_SERVER_TRUST_ACCOUNT.

An APDS server implementation MAY choose to send more descriptive error codes (as in the case above). However, the NTLM server MUST treat any error returned by the DC as a logon failure.

The DC attempts to validate the request, increment LogonAttempts, and if successful, authenticate the user. If validation is unsuccessful, the DC MUST return an error. The role of the DC in the NTLM authentication sequence is specified in [MS-NLMP] section 3.3.

Upon successful validation:

  • If the domainControllerFunctionality attribute ([MS-ADTS] section 3.1.1.3.2.25) returns a value that is >= 6 and the user is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4), APDS SHOULD<11> return STATUS_ACCOUNT_RESTRICTION.

  • Otherwise, the user account's DC MUST send the domain global groups and universal groups (that the user is a member of) to the server's DC, and MUST follow the trust path that was used to contact the user's account DC ([MS-NRPC] section 3.5.4.5.1).

When the trust crossed in the trust path has the TRUST_ATTRIBUTE_CROSS_ORGANIZATION ([MS-LSAD] section 2.2.7.9) set, the DC MUST add the OTHER_ORGANIZATION SID ([MS-DTYP] section 2.4.2.4) to the user's groups.

When a user has the OTHER_ORGANIZATION SID, the server domain DC MUST perform an access check where:

  • The security descriptor MUST contain the ACL granting the client user ACTRL_DS_CONTROL_ACCESS ([MS-SAMR] section 2.2.1.17) to the server computer's AD account object.

If the access check fails, the DC MUST reject the authentication request and return STATUS_AUTHENTICATION_FIREWALL_FAILED. The server domain DC also MUST add the domain local groups, and then send the entire list of groups to the NTLM server to be used for authorization decisions.

For NTLM server implementations that use an authorization model that is based on a security identifier (SID), the server SHOULD populate the User SID and Security Group SIDs in the ImpersonationAccessToken (section 3.1.1) as follows:

  • Concatenate LogonDomainId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13) and UserId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13), add the result to the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.UserIndex field to this index.

  • Concatenate LogonDomainId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13) and PrimaryGroupId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13), add the result to the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.PrimaryGroup field to this index.

  • For each GroupIds ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13), concatenate LogonDomainId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13) and GroupIds.RelativeID ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13), and add the result to the ImpersonationAccessToken.Sids array.

  • For each ExtraSids ([MS-NRPC] sections 2.2.1.4.12 and 2.2.1.4.13), add the ExtraSids.Sid ([MS-NRPC] sections 2.2.1.4.12 and 2.2.1.4.13) to the ImpersonationAccessToken.Sids array.

The server calls GatherGroupMembershipForSystem ([MS-DTYP] section 2.5.2.1.1), where InitialMembership contains the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.Sids array to FinalMembership.

The server calls AddPrivilegesToToken ([MS-DTYP] section 2.5.2.1.2), where Token contains ImpersonationAccessToken.

Other SID structures can be added to ImpersonationAccessToken following authentication (see [MS-DTYP] section 2.7.1).

Show: