3.1.1.2 NTLM Subsystem Interaction
During the inside_authentication phase, the IMAP4 client invokes the NTLM subsystem and uses connection-oriented NTLM, as specified in [MS-NLMP].
All NTLM messages are encapsulated as specified in section 2.2.1. The data model, internal states, and sequencing of NTLM messages are specified in greater detail in [MS-NLMP].
The client initiates the authentication by invoking NTLM, after which NTLM will return the NTLM NEGOTIATE_MESSAGE message to be sent to the server.
Subsequently, the exchange of NTLM messages goes on as defined by NTLM, with the client encapsulating the NTLM messages before sending them to the server, and de-encapsulating IMAP4 messages to obtain the NTLM message before giving it to NTLM.
NTLM completes authentication, either successfully or unsuccessfully, as follows:
The server sends the IMAP4_AUTHENTICATE_NTLM_Succeeded_Response to the client. On receiving this message, the client transitions to the completed_authentication state and MUST treat the authentication attempt as successful.
The server sends the IMAP4_AUTHENTICATE_NTLM_Fail_Response message to the client. On receiving this message, the client transitions to the completed_authentication state and MUST treat the authentication attempt as failed.
Failures reported from the NTLM subsystem (which can occur for any reason, including incorrect data being passed in or implementation-specific errors) can be reported to the client by the NTLM subsystem. If the NTLM subsystem returns any failure status, the failure status MUST trigger the client to transition to the completed_authentication state.