3.2.5.1.1 Server Receives a NEGOTIATE_MESSAGE from the Client

Upon receipt of the embedded NEGOTIATE_MESSAGE, the server MUST extract and decode the NEGOTIATE_MESSAGE.

If ServerBlock == TRUE, then the server MUST return STATUS_NOT_SUPPORTED ([MS-ERREF] section 2.3.1).<63>

If the security features selected by the client are not strong enough for the server security policy, the server MUST return an error to the calling application. Otherwise, the server MUST respond with a CHALLENGE_MESSAGE message. This includes the negotiated features and a 64-bit (8-byte) nonce value for the ServerChallenge value. The nonce is a pseudo-random number generated by the server and intended for one-time use. The flags returned as part of the CHALLENGE_MESSAGE in this step indicate which variant the server wants to use and whether the server's domain name or machine name are present in the TargetName field.

If ServerRequire128bitEncryption == TRUE, then if 128-bit encryption is not negotiated then the server MUST return SEC_E_UNSUPPORTED_FUNCTION ([MS-ERREF] section 2.1.1) to the application.

The server processes the NEGOTIATE_MESSAGE and constructs a CHALLENGE_MESSAGE per the following pseudocode where all strings are encoded as RPC_UNICODE_STRING ([MS-DTYP] section 2.3.10).

 -- Input:
 --   CfgFlg - Defined in section 3.2.1.
 --   An NTLM NEGOTIATE_MESSAGE whose message fields are defined in
      section 2.2.1.1.
 --
 -- Output:
 --   An NTLM CHALLENGE_MESSAGE whose message fields are defined in
      section 2.2.1.2.
 --
 -- Functions used:
 --   AddAVPair(), NIL, NONCE - Defined in section 6.

The server SHOULD return only the capabilities it supports. For example, if a newer client requests capability X and the server only supports capabilities A-U, inclusive, then the server does not return capability X. The CHALLENGE_MESSAGE NegotiateFlags field SHOULD<64> be set to the following:

  • All the flags set in CfgFlg (section 3.2.1.1)

  • The supported flags requested in the NEGOTIATE_MESSAGE.NegotiateFlags field

  • NTLMSSP_REQUEST_TARGET

  • NTLMSSP_NEGOTIATE_NTLM

  • NTLMSSP_NEGOTIATE_ALWAYS_SIGN

The Signature field MUST be set to the string, "NTLMSSP". The MessageType field MUST be set to 0x00000002, indicating a message type of NtLmChallenge. The ServerChallenge field MUST be set to an 8-byte nonce.

If the NTLMSSP_NEGOTIATE_VERSION flag is set, the Version field MUST be set to the current version (section 2.2.2.10).

 If (NTLMSSP_NEGOTIATE_UNICODE is set in NEGOTIATE.NegotiateFlags)
      Set the NTLMSSP_NEGOTIATE_UNICODE flag in
      CHALLENGE_MESSAGE.NegotiateFlags
 ElseIf (NTLMSSP_NEGOTIATE_OEM flag is set in NEGOTIATE.NegotiateFlag)
      Set the NTLMSSP_NEGOTIATE_OEM flag in
      CHALLENGE_MESSAGE.NegotiateFlags
 EndIf
 If (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag
        is set in NEGOTIATE.NegotiateFlags)
      Set the NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag in
      CHALLENGE_MESSAGE.NegotiateFlags
 ElseIf (NTLMSSP_NEGOTIATE_LM_KEY flag is set in NEGOTIATE.NegotiateFlag)
      Set the NTLMSSP_NEGOTIATE_LM_KEY flag in
      CHALLENGE_MESSAGE.NegotiateFlags
 EndIf
 If (Server is domain joined)
       Set CHALLENGE_MESSAGE.TargetName to NbDomainName
       Set the NTLMSSP_TARGET_TYPE_DOMAIN flag in
       CHALLENGE_MESSAGE.NegotiateFlags
 Else
       Set CHALLENGE_MESSAGE.TargetName to NbMachineName
       Set the NTLMSSP_TARGET_TYPE_SERVER flag in
       CHALLENGE_MESSAGE.NegotiateFlags
 EndIf
  
 Set the NTLMSSP_NEGOTIATE_TARGET_INFO and NTLMSSP_REQUEST_TARGET flags in
 CHALLENGE_MESSAGE.NegotiateFlags
  
 If (NbMachineName is not NIL)
      AddAvPair(TargetInfo, MsvAvNbComputerName, NbMachineName)
 EndIf
 If (NbDomainName is not NIL)
      AddAvPair(TargetInfo, MsvAvNbDomainName, NbDomainName)
 EndIf
 If (DnsMachineName is not NIL)
      AddAvPair(TargetInfo, MsvAvDnsComputerName, DnsMachineName)
 EndIf
 If (DnsDomainName is not NIL)
      AddAvPair(TargetInfo, MsvAvDnsDomainName, DnsDomainName)
 EndIf
 If (DnsForestName is not NIL)
      AddAvPair(TargetInfo, MsvAvDnsTreeName, DnsForestName)
 EndIf
 AddAvPair(TargetInfo, MsvAvEOL, NIL)

When this process is complete, the server MUST send the CHALLENGE_MESSAGE to the client, embedded in an application protocol message, and encoded according to that application protocol.