3.1.5.3.1 Receiving the NTLM_CHALLENGE REPLY Command

Expected AUTH_STATE: negotiate_data_sent

A REPLY command with NTLM_CommandCode set to NTLM_CHALLENGE indicates that the server has sent an NTLM CHALLENGE_MESSAGE.

On receiving this message, a client MUST call the appropriate local NTLM protocol function for processing the NTLM CHALLENGE_MESSAGE.

 If the NTLM CHALLENGE_MESSAGE is a valid NTLM challenge message, as specified in [MS-NLMP], the local NTLM protocol function passes an NTLM AUTHENTICATE_MESSAGE back to the client. If message processing is successful, the client MUST continue, as specified in section 3.1.5.3.1.1.

The local NTLM protocol function passes an implementation-defined failure error code back to the client if the NTLM CHALLENGE_MESSAGE is not valid. The Telnet: NTLM Authentication Protocol client MUST NOT distinguish between different failure error codes. The client MUST treat all failure error codes identically. If message processing is unsuccessful, the client MUST continue, as specified in section 3.1.5.3.1.2.

Neither the mechanism for returning the NTLM_AUTHENTICATE_MESSAGE nor the mechanism for returning a failure error code is defined by the Telnet: NTLM Authentication Protocol. These mechanisms are defined by the implementation of the NTLM protocol in use on the client.