4.6.2 NTLM Authentication Sequence
For NTLM authentication, the following sequence is used.

Figure 10: NTLM authentication sequence
In response to a client LinkViewerToMacConnect message request, the server sends a LinkMacToViewerReportConnectedEX message with the following attributes:
The AuthenPackage field is set to NTLM.
The cbAuthenPackage field has a value of 5.
The client and server then continue their normal sequence of commands.
Eventually, the client sends a LinkViewerToMacOpenFile packet request, to which the server responds with a LinkMacToViewerSecurityChallenge message.
The client sends a LinkViewerToMacSecurityResponse message to the server that contains the first NTLM authentication token, and the server responds with a LinkMacToViewerSecurityChallenge message that contains the NTLM challenge token.
The client sends a LinkViewerToMacSecurityResponse message to the server that contains the response NTLM authentication token. If the credentials are correct, the server responds with a LinkMacToViewerReportOpenFile message. Otherwise, the server responds with a LinkMacToViewerSecurityChallenge message.