2.1.4.1.2 NT LAN Manager (NTLM) Authentication Protocol

The identity of the application client has been authenticated using the NT LAN Manager Authentication Protocol Specification (NTLM) and Authentication Protocol Domain Support Specification (APDS) protocols, as described in [MS-AUTHSOD] section 2.1.2.3. After the authentication process succeeds, the domain controller returns a NETLOGON_VALIDATION_SAM_INFO* structure. The authorization system builds the access token with the group membership information from the NETLOGON_VALIDATION_SAM_INFO* structure, local security groups from the SAM database, privileges, and logon rights from the LSA policy database.

The application server impersonates the identity access token, and invokes the access check function in the authorization system by passing the access token, access mask, and security descriptor of the requested object. The authorization system executes the access check algorithm, as described in [MS-DTYP] section 2.5.3.2, to verify whether the requested identity has sufficient access permissions to access the object.