3.1.1.2 NTLM Subsystem Interaction

During the inside_authentication phase, the POP3 client invokes the NTLM subsystem as described in [MS-NLMP] section 3.1. The NTLM protocol is used with these options:

1. The negotiation is a connection-oriented NTLM negotiation.

2. None of the flags specified in [MS-NLMP] section 3.1.1 is specific to NTLM.

The following is a description of how POP3 uses NTLM. All NTLM messages are encapsulated as specified in section 2.1. [MS-NLMP] section 3.1.1 describes the data model, internal states, and sequencing of NTLM messages in greater detail:

1. The client initiates the authentication by invoking NTLM, upon which NTLM returns the NTLM NEGOTIATE_MESSAGE packet to be sent to the server.

2. Subsequently, the exchange of NTLM messages goes on as defined by the NTLM protocol, with the POP3 client encapsulating the NTLM messages before sending them to the server, and de-encapsulating POP3 messages to obtain the NTLM message before giving it to NTLM.

3. The NTLM protocol completes authentication, either successfully or unsuccessfully, as follows:

   • The server sends the POP3_AUTH_NTLM_Succeeded_Response to the client. On receiving this message, the client transitions to the completed_authentication state and SHOULD treat the authentication attempt as successful.

   • The server sends the POP3_AUTH_NTLM_Fail_Response to the client. On receiving this message, the client transitions to the completed_authentication state and SHOULD treat the authentication attempt as failed.

   • Failures reported from the NTLM package (which can occur for any reason, including incorrect data being passed in, or implementation-specific errors), are not reported to the client and cause the client to transition to the completed_authentication state.