2.2 Message Syntax
The NTLM Authentication Protocol consists of three message types used during authentication and one message type used for message integrity after authentication has occurred.
The authentication messages:
NEGOTIATE_MESSAGE (2.2.1.1)
CHALLENGE_MESSAGE (2.2.1.2)
AUTHENTICATE_MESSAGE (2.2.1.3)
These are variable-length messages containing a fixed-length header and a variable-sized message payload. The fixed-length header always starts as shown in the following table with a Signature and MessageType field.
Depending on the MessageType field, the message can have other message-dependent fixed-length fields. The fixed-length fields are then followed by a variable-length message payload.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Signature |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
MessageType |
|||||||||||||||||||||||||||||||
|
MessageDependentFields (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
payload (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Signature (8 bytes): An 8-byte character array that MUST contain the ASCII string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').
MessageType (4 bytes): The MessageType field MUST take one of the values from the following list:
-
Value
Meaning
NtLmNegotiate
0x00000001
The message is a NEGOTIATE_MESSAGE.
NtLmChallenge
0x00000002
The message is a CHALLENGE_MESSAGE.
NtLmAuthenticate
0x00000003
The message is an AUTHENTICATE_MESSAGE.
MessageDependentFields (variable): The NTLM message contents, as specified in section 2.2.1.
payload (variable): The payload data contains a message-dependent number of individual payload messages. This payload data is referenced by byte offsets located in the MessageDependentFields.
The message integrity NTLMSSP_MESSAGE_SIGNATURE message (section 2.2.2.9) is fixed length and is appended to the calling application's messages. This message type is used only when an application has requested message integrity or confidentiality operations, based on the session key negotiated during a successful authentication.
All multiple-byte values are encoded in little-endian byte order. Unless specified otherwise, 16-bit value fields are of type unsigned short, while 32-bit value fields are of type unsigned long.
In the NEGOTIATE_MESSAGE message all character string fields contain characters in the OEM character set. As specified in section 2.2.2.5, the client and server negotiate if they both support Unicode characters—in which case, all character string fields in the CHALLENGE_MESSAGE message and AUTHENTICATE_MESSAGE message contain an RPC_UNICODE_STRING structure ([MS-DTYP] section 2.3.10) unless otherwise specified. Otherwise, the OEM character set is used. Agreement between client and server on the choice of OEM character set is not covered by the protocol and MUST occur out-of-band.
All Unicode strings are encoded with UTF-16 and the byte order mark (BOM) is not sent over the wire. NLMP uses little-endian order unless otherwise specified.