3.1.4 Higher-Layer Triggered Events
The client application calls GSS_Init_sec_context() to establish a security context with the server application.
If the ClientBlocked == TRUE and targ_name ([RFC2743] section 2.2.1) does not equal any of the ClientBlockExceptions server names, then the NTLM client MUST return STATUS_NOT_SUPPORTED ([MS-ERREF] section 2.3.1) to the client application.<45>
NTLM has no requirements on which flags are used and will simply honor what was requested by the application or protocol. For an example of such a protocol specification, see [MS-RPCE] section 188.8.131.52.2.2. The application will send the NEGOTIATE_MESSAGE (section 184.108.40.206) to the server application.
When the client application receives the CHALLENGE_MESSAGE (section 220.127.116.11) from the server application, the client application will call GSS_Init_sec_context() with the CHALLENGE_MESSAGE as input. The client application will send the AUTHENTICATE_MESSAGE (section 18.104.22.168) to the server application.
Once the security context is established, the client application can call GSS_WrapEx() (section 3.4.6) to encrypt messages.
Once the security context is established, the client application can call GSS_UnwrapEx() (section 3.4.7) to decrypt messages that were encrypted by GSS_WrapEx.
Once the security context is established, the client application can call GSS_VerifyMICEx() (section 3.4.9) to verify a signature produced by GSS_GetMICEx().