Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Client applications that connect to the Network News Transport Protocol (NNTP) service that is included in Windows 2000 Server operating system and Windows Server 2003 operating system can use Windows NT LAN Manager (NTLM) authentication.
The NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension specifies how an NNTP client and an NNTP server can use the NTLM Authentication Protocol, as specified in [MS-NLMP], so that the NNTP server can authenticate the NNTP client. NTLM is a challenge/response authentication protocol that depends on the application layer protocols to transport NTLM packets from client to server and from server to client.
The NTLM Authentication: NNTP Extension defines how NNTP is extended to perform authentication by using the NTLM Authentication Protocol. The NNTP standard defines an extensibility mechanism for arbitrary authentication protocols to be plugged into the core protocol. This mechanism is the AUTHINFO GENERIC mechanism, as specified in [RFC2980] section 3.1.3. A client that requests NTLM authentication and a server that processes the authentication stays within the framework of the AUTHINFO GENERIC mechanism.
The NTLM Authentication: NNTP Extension is an embedded protocol in which NTLM authentication data is first transformed into a base64 representation and then formatted by padding with NNTP status codes and NNTP keywords as defined by the AUTHINFO GENERIC mechanism. The base64 encoding and formatting are rudimentary and solely intended to make the NTLM data look like other NNTP commands and responses. The following diagram illustrates the sequence of transformations that are performed on an NTLM message to produce a message that can be sent over NNTP.
Figure 1: Relationship between NTLM message and NNTP: NTLM Authentication Protocol message
The NTLM Authentication: NNTP Extension is a pass-through protocol that does not specify the structure of NTLM information. Instead, the protocol relies on the software that implements the NTLM Authentication Protocol, as specified in [MS-NLMP], to process each NTLM message to be sent or received.
The NTLM Authentication: NNTP Extension defines a server role and a client role.<1>
When NNTP wants to perform an NTLM authentication, it needs to interact with the NTLM software appropriately. Below is an overview of this interaction.
If acting as an NNTP client:
The NTLM software returns the first NTLM message to the client, to be sent to the server.
The client applies the base64 encoding and NNTP-padding transformations that were mentioned earlier and are described in detail later in this document in order to produce an NNTP message and send this message to the server.
The client waits for a response from the server. When the response is received, the client checks to see whether it indicates the end of authentication (success or failure), or that authentication is continuing.
If the authentication is continuing, the response message is stripped of the NNTP padding, base64 decoded, and passed into the NTLM software, upon which the NTLM software can return another NTLM message that needs to be sent to the server. Steps 2 through 4 are repeated until authentication succeeds or fails.
If acting as an NNTP server:
The server waits to receive the first NNTP authentication message from the client.
When an NNTP message is received from the client, the NNTP padding is removed, the message is base64 decoded, and the resulting NTLM message is passed into the NTLM software.
The NTLM software will return a status that indicates whether authentication completed successfully or authentication failed, or whether more NTLM messages need to be exchanged to complete the authentication.
If the authentication is continuing, the NTLM software will return an NTLM message that needs to be sent to the server. This message is base64 encoded, and the NNTP padding is applied and sent to the client. Steps 2 through 4 are repeated until authentication succeeds or fails.
The sequence that follows shows the typical flow of packets between client and server after NTLM authentication has been selected.
The NNTP client sends an NTLM NEGOTIATE_MESSAGE that is embedded in an NNTP_AUTH_NTLM_Blob_Command packet to the server.
The NNTP client sends an NTLM NEGOTIATE_MESSAGE, and the NNTP server sends an NTLM CHALLENGE_MESSAGE that is embedded in an NNTP packet to the client.
In response, the NNTP client sends an NTLM AUTHENTICATE_MESSAGE that is embedded in an NNTP packet.
The server then sends an NNTP response to the client to successfully complete the authentication process.
The NTLM NEGOTIATE_MESSAGE, NTLM CHALLENGE_MESSAGE, and NTLM AUTHENTICATE_MESSAGE packets contain NTLM authentication data that has to be processed by the NTLM software that is installed on the local computer. How to retrieve and process the NTLM message is specified in [MS-NLMP].
Implementers of the NTLM Authentication: NNTP Extension must have a working knowledge of: