2.2.1.3.7 NtlmCredIsoRemoteInput

The NtlmCredIsoRemoteInput structure is used for an NTLM call message. It is paired with an NtlmCredIsoRemoteOutput structure (section 2.2.1.3.8) NTLM reply message. The CallId determines which of the following union members is associated with the current message. Note that input and output each use different parts of the same message structure.

Note: The word "server" refers to the LSA server which is providing access to credentials and "client" refers to the LSA client which is using the credentials provided by the server. This is the opposite of the RDP view.

    typedef struct _NtlmCredIsoRemoteInput
    {
        RemoteGuardCallId CallId;
        [switch_type(RemoteGuardCallId), switch_is(CallId)] union
        {
            // Used to negotiate the protocol version that will be used.
            // Server sends the maximum version it supports; client replies
            // with the version that will actually be used.
            [case(RemoteCallNtlmNegotiateVersion)] struct
            {
                ULONG MaxSupportedVersion;
            } NegotiateVersion;
 
            // Use the provided credential and challenge to generate the 
            // NT and LM response for the NTLM v2 authentication protocol.
            [case(RemoteCallNtlmLm20GetNtlm3ChallengeResponse)] struct
            {
                PMSV1_0_REMOTE_ENCRYPTED_SECRETS Credential;
                PRPC_UNICODE_STRING UserName;
                PRPC_UNICODE_STRING LogonDomainName;
                PRPC_UNICODE_STRING ServerName;
                UCHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH];
            } Lm20GetNtlm3ChallengeResponse;
 
            // Use the provided credential to calculate a response 
            // to this challenge according to the NTLM v1 protocol.
            [case(RemoteCallNtlmCalculateNtResponse)] struct
            {
                PNT_CHALLENGE NtChallenge;
                PMSV1_0_REMOTE_ENCRYPTED_SECRETS Credential;
            } CalculateNtResponse;
 
            // Use the provided credential and response to calculate 
            // a session key according to the NTLM v1 protocol.
            [case(RemoteCallNtlmCalculateUserSessionKeyNt)] struct
            {
                PNT_RESPONSE NtResponse;
                PMSV1_0_REMOTE_ENCRYPTED_SECRETS Credential;
            } CalculateUserSessionKeyNt;
 
            // Compare the provided credentials to determine whether
            // they're identical.
            [case(RemoteCallNtlmCompareCredentials)] struct
            {
                PMSV1_0_REMOTE_ENCRYPTED_SECRETS LhsCredential;
                PMSV1_0_REMOTE_ENCRYPTED_SECRETS RhsCredential;
            } CompareCredentials;
        };
    } NtlmCredIsoRemoteInput, *PNtlmCredIsoRemoteInput;

CallId: An ID from the RemoteGuardCallId enumeration (section 2.2.1.1) that determines which of the following union members is associated with the current message.

NegotiateVersion: A structure (section 2.2.2.2.1) that contains the maximum version agreed between the server and the client. Used to negotiate the protocol version that will be used. Server sends the maximum version it supports; client replies with the version that will be used.

Lm20GetNtlm3ChallengeResponse: A structure (section 2.2.2.2.2) that contains the user credentials from which to generate an NTLM v2 response and session keys.

CalculateNtResponse: A structure (section 2.2.2.2.3) that contains the challenge sent by the server and the NTLM credentials from which to generate a response.

CalculateUserSessionKeyNt: A structure (section 2.2.2.2.4) that contains the response sent during NTLM v1 authentication and the NTLM credentials used to generate the response.

CompareCredentials: A structure (section 2.2.2.2.5) that contains the first and the second credential to be compared.