3.1.1.2 NTLM Subsystem Interaction
During the inside_authentication phase, the POP3 client invokes the NTLM subsystem and uses connection-oriented NTLM, as specified in [MS-NLMP].
The following is a description of how POP3 uses NTLM. All NTLM messages are encapsulated as specified in section 2.2. [MS-NLMP] describes the data model, internal states, and sequencing of NTLM messages in greater detail, as follows:
The client initiates the authentication by invoking NTLM, after which NTLM returns the NTLM NEGOTIATE_MESSAGE message (as specified in [MS-NLMP]) to be sent to the server.
Subsequently, the exchange of NTLM messages goes on as defined by the NTLM protocol, with the POP3 client encapsulating the NTLM messages before sending them to the server, and de-encapsulating POP3 messages to obtain the NTLM message before giving it to NTLM.
The NTLM protocol completes authentication, either successfully or unsuccessfully, as follows:
The server sends the POP3_AUTH_NTLM_Succeeded_Response message to the client. On receiving this message, the client transitions to the completed_authentication state and treats the authentication attempt as successful.
The server sends the POP3_AUTH_NTLM_Fail_Response message to the client. On receiving this message, the client transitions to the completed_authentication state and treats the authentication attempt as failed.
Failures reported from the NTLM package (which can occur for any reason, including incorrect data being passed in, or implementation-specific errors) are reported to the client by NTLM and cause the client to transition to the completed_authentication state.