3.1.5.1.1 Client Initiates the NEGOTIATE_MESSAGE

When the client application initiates the exchange through SSPI, the NTLM client sends the NEGOTIATE_MESSAGE (section 2.2.1.1) to the server, which is embedded in an application protocol message, and encoded according to that application protocol.

If ClientBlocked == TRUE and targ_name ([RFC2743] section 2.2.1) does not equal any of the ClientBlockExceptions server names, then the NTLM client MUST return STATUS_NOT_SUPPORTED ([MS-ERREF] section 2.3.1) to the client application.<46>

The client prepares a NEGOTIATE_MESSAGE and sets the following fields:

• The Signature field is set to the string, "NTLMSSP".

• The MessageType field is set to NtLmNegotiate.

The client sets the following configuration flags in the NegotiateFlags field of the NEGOTIATE_MESSAGE:

• NTLMSSP_REQUEST_TARGET

• NTLMSSP_NEGOTIATE_NTLM

• NTLMSSP_NEGOTIATE_ALWAYS_SIGN

• NTLMSSP_NEGOTIATE_UNICODE

If LM authentication is not being used, then the client sets the following configuration flag in the NegotiateFlags field of the NEGOTIATE_MESSAGE:

• NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY

In addition, the client sets the flags specified by the application in the NegotiateFlags field in addition to the initialized flags.

If the NTLMSSP_NEGOTIATE_VERSION flag is set by the client application, the Version field MUST be set to the current version (section 2.2.2.10), the DomainName field MUST be set to a zero-length string, and the Workstation field MUST be set to a zero-length string. If the NTLMSSP_NEGOTIATE_VERSION flag is not set by the client application, the Version field MUST be set to all-zero.