3.2.1.2 NTLM Subsystem Interaction

During the inside_authentication state, the server invokes the NTLM subsystem and uses connection-oriented NTLM, as specified in [MS-NLMP].

The following is a description of how the IMAP4 NTLM extension uses NTLM. For more details, see [MS-NLMP].

1. The server, on receiving the NTLM NEGOTIATE_MESSAGE message, passes it to the NTLM subsystem and is returned the NTLM CHALLENGE_MESSAGE message, if the NTLM NEGOTIATE_MESSAGE message was valid.

2. Subsequently, the exchange of NTLM messages goes on as defined by NTLM, with the server encapsulating the NTLM messages that are returned by NTLM before sending them to the client.

3. When NTLM completes authentication, either successfully or unsuccessfully, the NTLM subsystem notifies the server.

   • On successful completion, the server MUST exit the inside_authentication state and enter the completed_authentication state and send the IMAP4_AUTHENTICATE_NTLM_Succeeded_Response message to the client.

   • If a failure occurs due to an incorrect password error, as specified in [MS-NLMP], the server MUST enter the completed_authentication state and send the client an IMAP4_AUTHENTICATE_NTLM_Fail_Response message.

   • If a failure occurs on the server due to any reason other than the incorrect password error, the server enters the completed_authentication state and sends the client an IMAP4_AUTHENTICATE_NTLM_Fail_Response message.