3.1.1 Abstract Data Model
This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.
The protocol requires that the DC MUST have a database or directory of accounts with authorization information available to it.
The NTLM abstract data model is specified in [MS-NLMP] section 3.1.1. The Netlogon abstract data model is specified in [MS-NRPC] section 3.1.1.
The NTLM server uses the following configuration values:
LogonAttempts: A 32-bit unsigned integer that contains the total number of logon attempts since the last restart.
NTLMServerDomainBlocked: A Boolean setting that SHOULD<3> control the NTLM server that is responding to NTLM authentication requests. When set to TRUE, this setting disables the NTLM server from sending NTLM pass-through authentication messages (section 3.1.5) to any DC.
For NTLM server implementations that use an authorization model that is based on a security identifier (SID), the server maintains the following parameter for each security context:
ImpersonationAccessToken (Public): A Token/Authorization Context (see [MS-DTYP] section 2.5.2).
The DC SHOULD<4> use the following configuration values:
AccountDCBlocked: A Boolean setting that controls the DC responding to NTLM authentication requests. When set to TRUE, this setting disables the account domain DC from responding to NTLM pass-through authentication messages (section 3.1.5).
ResourceDCBlocked: A Boolean setting that controls the DC responding to NTLM authentication requests. When set to TRUE, this setting disables the resource domain DC from sending NTLM pass-through authentication messages (section 3.1.5).
DCBlockExceptions: A list of server names that can use NTLM authentication.
The NTLM server MAY<5> use the following configuration value:
AllowComputerLogon: A Boolean setting that indicates that the caller wants to authenticate a computer. Setting this flag results in the K bit being set in LogonInformation.LogonNetwork.Identity.ParameterControl.