NTLM Connectionless (Datagram-Oriented) Call Flow

The following illustration shows a typical NTLM connectionless (datagram-oriented) call flow.

Connectionless NTLM message flow

Figure 3: Connectionless NTLM message flow

Although it appears that the server is initiating the request, the client initiates the sequence by sending a message specified by the application protocol in use.

  1. Application-specific protocol messages are sent between client and server.

  2. The NTLM protocol begins when the application requires an authenticated session.  The server sends the client an NTLM CHALLENGE_MESSAGE message. The message includes an indication of the security features desired by the server, and a nonce that the server generates.

  3. The client sends an NTLM AUTHENTICATE_MESSAGE message to the server. The message contains the name of a user and a response that proves that the client has the user's password. The server validates the response sent by the client. If the user name is for a local account, it can validate the response by using information in its local account database. If the user name is for a domain account, it validates the response by sending the user authentication information (the user name, the challenge sent to the client, and the response received from the client) to a DC that can validate the response. (see [MS-APDS] section 3.1). The NTLM protocol completes.

  4. If the challenge and the response prove that the client has the user's password, the authentication succeeds and the application protocol continues according to its specification. If the authentication fails, the server might send the status in an application protocol–specified way, or it might simply terminate the connection.