1.7 Versioning and Capability Negotiation

The NTLM authentication version is not negotiated by the protocol. It has to be configured on both the client and the server prior to authentication. The version is selected by the client, and requested during the protocol negotiation. If the server does not support the version selected by the client, authentication fails.

NTLM implements capability negotiation by using the flags described in section The protocol messages used for negotiation depend on the mode of NTLM being used:

  • In connection-oriented NTLM, negotiation starts with a NEGOTIATE_MESSAGE, carrying the client's preferences, and the server replies with NegotiateFlags in the subsequent CHALLENGE_MESSAGE.

  • In connectionless NTLM, the server starts the negotiation with the CHALLENGE_MESSAGE and the client replies with NegotiateFlags in the subsequent AUTHENTICATE_MESSAGE.