Export (0) Print
Expand All

2.2 Message Syntax

The NTLM Authentication Protocol consists of three message types used during authentication and one message type used for message integrity after authentication has occurred.

The authentication messages:

are variable-length messages containing a fixed-length header and a variable-sized message payload. The fixed-length header always starts as shown in the following table with a Signature and MessageType field.

Depending on the MessageType field, the message may have other message-dependent fixed-length fields. The fixed-length fields are then followed by a variable-length message payload.


0

1

2

3

4

5

6

7

8

9
1
0

1

2

3

4

5

6

7

8

9
2
0

1

2

3

4

5

6

7

8

9
3
0

1

Signature

...

MessageType

MessageDependentFields (variable)

...

payload (variable)

...

Signature (8 bytes): An 8-byte character array that MUST contain the ASCII string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').

MessageType (4 bytes): The MessageType field MUST take one of the values from the following list:

Value Meaning

NtLmNegotiate
0x00000001

The message is a NEGOTIATE_MESSAGE.

NtLmChallenge
0x00000002

The message is a CHALLENGE_MESSAGE.

NtLmAuthenticate
0x00000003

The message is an AUTHENTICATE_MESSAGE.

MessageDependentFields (variable): The NTLM message contents, as specified in section 2.2.1.

payload (variable): The payload data contains a message-dependent number of individual payload messages. This payload data is referenced by byte offsets located in the MessageDependentFields.

The message integrity message, NTLMSSP_MESSAGE_SIGNATURE (section 2.2.2.9) is fixed length and is appended to the calling application's messages. This message type is used only when an application has requested message integrity or confidentiality operations, based on the session key negotiated during a successful authentication.

All multiple-byte values are encoded in little-endian byte order. Unless specified otherwise, 16-bit value fields are of type unsigned short, while 32-bit value fields are of type unsigned long.

All character string fields in NEGOTIATE_MESSAGE contain characters in the OEM character set. As specified in section 2.2.2.5, the client and server negotiate if they both support Unicode characters—in which case, all character string fields in the CHALLENGE_MESSAGE and AUTHENTICATE_MESSAGE contain UNICODE_STRING unless otherwise specified. Otherwise, the OEM character set is used. Agreement between client and server on the choice of OEM character set is not covered by the protocol and MUST occur out-of-band.

All Unicode strings are encoded with UTF-16 and the Byte Order Mark (BOM) is not sent over the wire. NLMP uses little-endian order unless otherwise specified.

 
Show:
© 2015 Microsoft