3.5.4.5.1.1 Pass-through domain name validation

  • Article

If the NTLMv2_CLIENT_CHALLENGE request (see [MS-NLMP] section 2.2.2.7) does not include a non-empty MsvAvNbDomainName AVPair (see [MS-NLMP] section 2.2.2.1), the validation succeeds.

Otherwise, validation proceeds as follows:

  1. Let NBDomainName be the value of the MsvAvNbDomainName AVPair.

  2. Let DnsDomainName be the value of the MsvAvNbDomainName AVPair. It is acceptable for this value to be empty.

  3. Let TDO be the Trusted Domain Object used to send the request.

  4. If TDO!trustAttributes does not contain TRUST_ATTRIBUTE_FOREST_TRANSITIVE, validation proceeds as follows:

    1. If NBDomainName does not match the TDO!flatName attribute, the validation fails.

    2. If DnsDomainName is non-empty and does not match the TDO!name attribute, the validation fails.

    3. Otherwise, validation succeeds.

  5. Otherwise, if TDO!trustAttributes does contain TRUST_ATTRIBUTE_FOREST_TRANSITIVE, validation proceeds as follows:

    1. If NBDomainName matches the NetbiosName of any domain in the current forest, the validation fails.

    2. If DnsDomainName is non-empty and matches the DNS name of any domain in the current forest, the validation fails.

    3. Otherwise, let SRs be the set of all ForestTrustScannerInfo records stored across all Trusted Domain Objects in the Trusted Domain Object Data Model (see [MS-LSAD] section 2.2.7.29 and section 3.1.1.5).

    4. If NBDomainName matches none of the NetbiosName values across all records in SRs, validation succeeds.

    5. If NBDomainName matches the NetbiosName value of exactly one record in SRs, and that record originates from the TDO!msdsForestTrustInfo attribute, validation succeeds.

    6. If NBDomainName matches the NetbiosName value of multiple records in SRs, and none of those records originate from the TDO!msdsForestTrustInfo attribute, validation fails.

    7. If NBDomainName matches the NetbiosName value of multiple records in SRs, and one matching record SR originates from the TDO!msdsForestTrustInfo attribute, validation proceeds as follows:

      1. If DnsDomainName is non-empty and matches SR!DnsName, and DnsDomainName does not match any other DnsName values in SRs, validation succeeds.

      2. Otherwise, validation fails.