3.3.5.1 NTLM RC4 Key State for MechListMIC and First Signed Message

When NTLM is negotiated, the SPNEGO Extension client MUST set OriginalHandle to ClientHandle before generating the mechListMIC and then set ClientHandle to OriginalHandle after generating the mechListMIC. This results in the RC4 key state being the same for the mechListMIC and for the first message signed by the application.

Because the RC4 key state is the same for the mechListMIC and for the first message signed by the application, the SPNEGO Extension server MUST set OriginalHandle to ServerHandle before validating the mechListMIC and then set ServerHandle to OriginalHandle after validating the mechListMIC.