18.104.22.168.1 Client Receives a CHALLENGE_MESSAGE
When the client receives a CHALLENGE_MESSAGE, it MUST produce a challenge response and an encrypted session key. The client MUST send the negotiated features (flags), the user name, the user's domain, the client part of the challenge, the challenge response, and the encrypted session key to the server. This message is sent to the server as an AUTHENTICATE_MESSAGE.
If the ClientBlocked == TRUE and targ_name ([RFC2743] section 2.2.1) does not equal any of the ClientBlockExceptions server names, then the NTLM client MUST return STATUS_NOT_SUPPORTED ([MS-ERREF] section 2.3.1) to the client application.<53>
If NTLM v2 authentication is used and the CHALLENGE_MESSAGE contains a TargetInfo field, the client SHOULD NOT send the LmChallengeResponse field and SHOULD set the LmChallengeResponseLen and LmChallengeResponseMaxLen fields in the AUTHENTICATE_MESSAGE to zero.<54>
If NTLM v2 authentication is used, the client SHOULD send the timestamp in the AUTHENTICATE_MESSAGE.<55>
If there exists a CHALLENGE_MESSAGE.TargetInfo.AvId == MsvAvTimestamp Set Time to CHALLENGE_MESSAGE.TargetInfo.Value of the AVPair ELSE Set Time to Currenttime Endif
If the CHALLENGE_MESSAGE TargetInfo field (section 22.214.171.124) has an MsvAvTimestamp present, the client SHOULD provide a MIC<56>:
If there is an AV_PAIR structure (section 126.96.36.199) with the AvId field set to MsvAvFlags,
then in the Value field, set bit 0x2 to 1.
else add an AV_PAIR structure (section 188.8.131.52) and set the AvId field to MsvAvFlags and the Value field bit 0x2 to 1.
Populate the MIC field with the MIC, where
Set MIC to HMAC_MD5(ExportedSessionKey, ConcatenationOf( CHALLENGE_MESSAGE, AUTHENTICATE_MESSAGE))
The client SHOULD send the channel binding AV_PAIR <57>:
If the CHALLENGE_MESSAGE contains a TargetInfo field (section 184.108.40.206)
If the ClientChannelBindingsUnhashed (section 220.127.116.11) is not NULL
Add an AV_PAIR structure (section 18.104.22.168) and set the AvId field to MsvAvChannelBindings and the Value field to MD5_HASH(ClientChannelBindingsUnhashed).
Else add an AV_PAIR structure (section 22.214.171.124) and set the AvId field to MsvAvChannelBindings and the Value field to Z(16).
If ClientSuppliedTargetName (section 126.96.36.199) is not NULL
Add an AV_PAIR structure (section 188.8.131.52) and set the AvId field to MsvAvTargetName and the Value field to ClientSuppliedTargetName without terminating NULL. If UnverifiedTargetName (section 184.108.40.206) is TRUE, then in AvId field = MsvAvFlags set 0x00000004 bit.<58>
Else add an AV_PAIR structure (section 220.127.116.11) and set the AvId field to MsvAvTargetName and the Value field to an empty string without terminating NULL.
When this process is complete, the client MUST send the AUTHENTICATE_MESSAGE to the server, embedded in an application protocol message, and encoded as specified by that application protocol.