1.3.1.1 NTLM Connection-Oriented Call Flow

The following illustration shows a typical NTLM connection-oriented call flow when an application protocol creates an authenticated session. For detailed message specifications, see section 2. The messages are processed (section 3).

Figure 2: Connection-oriented NTLM message flow

1. Application-specific protocol messages are sent between client and server.

2. The NTLM protocol begins when the application requires an authenticated session.  The client sends an NTLM NEGOTIATE_MESSAGE message to the server. This message specifies the desired security features of the session.

3. The server sends an NTLM CHALLENGE_MESSAGE message to the client. The message includes agreed upon security features, and a nonce that the server generates.

4. The client sends an NTLM AUTHENTICATE_MESSAGE message to the server. The message contains the name of a user and a response that proves that the client has the user's password. The server validates the response sent by the client. If the user name is for a local account, it can validate the response by using information in its local account database. If the user name is for a domain account, it can validate the response by sending the user authentication information (the user name, the challenge sent to the client, and the response received from the client) to a domain controller (DC) that can validate the response. (Section 3.1 [MS-APDS]). The NTLM protocol completes.

5. If the challenge and the response prove that the client has the user's password, the authentication succeeds, and the application protocol continues according to its specification. If the authentication fails, the server might send the status in an application protocol–specified way, or it might simply terminate the connection.