Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Client applications that connect to the Post Office Protocol 3 (POP3) service included in Windows Server 2003 operating system and Windows Server 2003 R2 operating system can use either standard plaintext authentication, as specified in [RFC1939], or NT LAN Manager (NTLM) authentication.
The NTLM POP3 Extension specifies how a POP3 client and POP3 server can use the NT LAN Manager (NTLM) Authentication Protocol, as specified in [MS-NLMP], so that the POP3 server can authenticate the POP3 client. NTLM is a challenge/response authentication protocol that depends on the application layer protocols to transport NTLM packets from client to server, and from server to client.
This specification defines how the POP3 AUTH command [RFC1734] is used to perform authentication using the NTLM authentication protocol. The POP3 Authentication command standard defines an extensibility mechanism for arbitrary authentication protocols to be plugged into the core protocol.
This specification describes an embedded protocol in which NTLM authentication data is first transformed into a base64 representation, and then formatted by padding with POP3 keywords as defined by the AUTH mechanism. The base64 encoding and the formatting are very rudimentary, and are solely intended to make the NTLM data fit the framework specified in [RFC1734]. The following diagram illustrates the sequence of transformations performed on an NTLM message to produce a message that can be sent over POP3.
Figure 1: Relationship between NTLM message and POP3
This specification describes a pass-through protocol that does not specify the structure of NTLM information. Instead, the protocol relies on the software that implements the NTLM Authentication Protocol (as specified in [MS-NLMP]) to process each NTLM message to be sent or received.
This specification defines a server and a client role.
When POP3 performs an NTLM authentication, it needs to interact with the NTLM subsystem appropriately. Below is an overview of this interaction.
If acting as a POP3 client:
The NTLM subsystem returns the first NTLM message to the client, to be sent to the server.
The client applies the base64-encoding and POP3-padding transformations mentioned earlier and described in detail later in this document to produce a POP3 message and send this message to the server.
The client waits for a response from the server. When the response is received, the client checks to see whether the response indicates the end of authentication (success or failure), or that authentication is continuing.
If the authentication is continuing, the response message is stripped of the POP3 padding, base64 decoded, and passed into the NTLM subsystem, upon which the NTLM subsystem might return another NTLM message that needs to be sent to the server. Steps 2 through 4 are repeated until authentication succeeds or fails.
If acting as a POP3 server:
The server waits to receive the first POP3 authentication message from the client.
When a POP3 message is received from the client, the POP3 padding is removed, the message is base64 decoded, and the resulting NTLM message is passed into the NTLM subsystem.
The NTLM subsystem will return a status indicating whether authentication completed successfully, failed, or whether more NTLM messages need to be exchanged to complete the authentication.
If the authentication is continuing, the NTLM subsystem will return an NTLM message that needs to be sent to the client. This message is base64-encoded, the POP3 padding is applied and sent to the client. Steps 2 through 4 are repeated until authentication succeeds or fails.
The sequence that follows shows the typical flow of packets between the client and the server once NTLM authentication has been selected.
The POP3 client sends an NTLM NEGOTIATE_MESSAGE embedded in a POP3_AUTH_NTLM_Blob_Command packet to the server.
On receiving the POP3 packet with an NTLM NEGOTIATE_MESSAGE, the POP3 server sends an NTLM CHALLENGE_MESSAGE embedded in a POP3 packet to the client.
In response, the POP3 client sends an NTLM AUTHENTICATE_MESSAGE embedded in a POP3 packet.
The server then sends a POP3 Response to the client to successfully complete the authentication process.
The NTLM NEGOTIATE_MESSAGE, NTLM CHALLENGE_MESSAGE, and NTLM AUTHENTICATE_MESSAGE packets contain NTLM authentication data that is processed by the NTLM software installed on the local computer. How to retrieve and process NTLM messages is specified in [MS-NLMP].
Implementers of this specification need to have a working knowledge of the following:
POP3, as specified in [RFC1734] and [RFC1939].
The Multipurpose Internet Mail Extensions (MIME) base64 encoding method, as specified in [RFC1521].
The NTLM Authentication Protocol, as specified in [MS-NLMP].