3.3.4.1.3 Generating a Return NL_AUTH_MESSAGE Token

Upon successful verification and extraction of data from the initial token, the server verifies that a successful session-key negotiation has occurred by the presence of the Session-Key data item for the client. If no negotiation has occurred, the server MUST return SEC_E_INVALID_TOKEN (0x80090308) indicating that an invalid token has been received.

The server generates a return NL_AUTH_MESSAGE (section 2.2.1.3.1) token. The MessageType MUST be set to 1 to indicate that this is a Negotiate response message type, the Flags field is set to zero, the Buffer field contains a NULL character, and the NL_AUTH_MESSAGE token MUST be padded to 12 bytes in length.

The return NL_AUTH_MESSAGE token is then sent back to the client along with any additional application-specific data.