7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
Windows NT operating system
Windows 2000 operating system
Windows XP operating system
Windows Server 2003 operating system
Windows Vista operating system
Windows Server 2008 operating system
Windows 7 operating system
Windows Server 2008 R2 operating system
Windows 8 operating system
Windows Server 2012 operating system
Windows 8.1 operating system
Windows Server 2012 R2 operating system
Windows 10 operating system
Windows Server 2016 operating system
Windows Server operating system
Windows Server 2019 operating system
Windows Server 2022 operating system
Windows 11 operating system
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 1: Except in Windows NT.
<2> Section 1.3: Only Windows NT clients initiate requests for the LM version of the protocol. All applicable Windows Server releases accept it if properly configured.
<3> Section 1.3.1: It is possible, with a Windows connectionless NTLM, for messages protected by NTLM session security to precede the completion of the established NTLM session, but such message orderings do not occur in practice.
<4> Section 1.4: When authenticating a domain account with NTLM, Windows uses Netlogon ([MS-APDS]) to have the DC take the challenge and the client's response, and validate the user authentication against the DC's user database.
<5> Section 1.6: Windows applications that use the Negotiate Token ([MS-SPNG]) can authenticate via NTLM if Kerberos is not available. Authenticating via NTLM would occur if either the client or server are down-level (running Windows NT 4.0 operating system or earlier) systems, if the server is not joined to a domain, if the application is using a remote procedure call (RPC) interface that uses NTLM directly, or if the administrator has not configured Kerberos properly. An implementer who wants to support these scenarios in which Kerberos does not work would need to implement NTLM.
<6> Section 2.2.1.1: The Version field is NOT sent or accessed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after WorkstationBufferOffset. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages with Version fields.
<7> Section 2.2.1.1: In Windows, the code page mapping the OEM character set to Unicode is configurable via HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\Nls\Codepage\OEMCP, which is a DWORD that contains the assigned number of the code page.
<8> Section 2.2.1.2: Except in Windows NT, Windows 2000, Windows XP, and Windows Server 2003, the TargetInfo field is always sent.
<9> Section 2.2.1.2: The Version field is not sent or accessed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after TargetInfoBufferOffset. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages with Version fields.
<10> Section 2.2.1.3: Although the protocol allows authentication to succeed if the client provides either LmChallengeResponse or NtChallengeResponse, Windows provides both.
<11> Section 2.2.1.3: The Version field is NOT sent or consumed by Windows NT or Windows 2000. Windows NT and Windows 2000 assume that the Payload field started immediately after NegotiateFlags. Since all references into the Payload field are by offset from the start of the message (not from the start of the Payload field), Windows NT and Windows 2000 can correctly interpret messages constructed with Version fields.
<12> Section 2.2.1.3: The MIC field is omitted in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<13> Section 2.2.2.1: MsvAvDnsTreeName AV_PAIR type is not supported in Windows NT and Windows 2000.
<14> Section 2.2.2.1: MsvAvFlags AV_PAIR type is not supported in Windows NT and Windows 2000.
<15> Section 2.2.2.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.
<16> Section 2.2.2.1: MsvAvTimestamp AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<17> Section 2.2.2.1: MsvAvSingleHost AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<18> Section 2.2.2.1: MsvAvTargetName AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.
<19> Section 2.2.2.1: MsvAvChannelBindings AV_PAIR type is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.
<20> Section 2.2.2.2: Windows does not process this field when sent on the wire.
<21> Section 2.2.2.2: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not create or send the CustomData field. The CustomData field is not processed when sent on the wire.
<22> Section 2.2.2.2: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista do not create or send the MachineID. The MachineID is not processed when sent on the wire.
<23> Section 2.2.2.5: Except in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, only 128-bit session key negotiation is supported by default; therefore this bit is always set.
<24> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_VERSION flag is not supported in Windows NT and Windows 2000. This flag is used for debug purposes only.
<25> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is not set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client in Windows NT Server 4.0 operating system Service Pack 3 (SP3).
<26> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is not supported in Windows NT and Windows 2000.
<27> Section 2.2.2.5: The NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is not supported in Windows NT and Windows 2000.
<28> Section 2.2.2.5: Windows sends this bit for anonymous connections, but a Windows-based NTLM server does not use this bit when establishing the session.
<29> Section 2.2.2.5: Windows NTLM clients can set this bit. No applicable Windows Server releases support it, so this bit is never used.
<30> Section 2.2.2.7: In some situations, Microsoft Windows adds bytes to the end of the variable-length section. These bytes are considered part of the NTLMv2_CLIENT_CHALLENGE structure but have no defined contents.
<31> Section 2.2.2.10: NTLMSSP_NEGOTIATE_VERSION cannot be negotiated in Windows NT, Windows 2000, and Windows XP operating system Service Pack 1 (SP1).
<32> Section 2.2.2.10: The following table lists the Windows values of the ProductMajorVersion and ProductMinorVersion fields for each applicable product.
|
Product |
ProductMajorVersion |
ProductMinorVersion |
|---|---|---|
|
Windows XP operating system Service Pack 2 (SP2) |
WINDOWS_MAJOR_VERSION_5 |
WINDOWS_MINOR_VERSION_1 |
|
Windows Server 2003 |
WINDOWS_MAJOR_VERSION_5 |
WINDOWS_MINOR_VERSION_2 |
|
Windows Vista |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_0 |
|
Windows Server 2008 |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_0 |
|
Windows 7 |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_1 |
|
Windows Server 2008 R2 |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_1 |
|
Windows 8 |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_2 |
|
Windows Server 2012 operating system |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_2 |
|
Windows 8.1 |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_3 |
|
Windows Server 2012 R2 |
WINDOWS_MAJOR_VERSION_6 |
WINDOWS_MINOR_VERSION_3 |
|
Windows 10 |
WINDOWS_MAJOR_VERSION_10 |
WINDOWS_MINOR_VERSION_0 |
|
Windows Server 2016 Windows Server operating
system |
WINDOWS_MAJOR_VERSION_10 |
WINDOWS_MINOR_VERSION_0 |
<33> Section 2.2.2.10: In Windows, this field contains one of the following values:
-
Value
Meaning
WINDOWS_MAJOR_VERSION_5
0x05
The major version of the Windows operating system is 0x05.
WINDOWS_MAJOR_VERSION_6
0x06
The major version of the Windows operating system is 0x06.
WINDOWS_MAJOR_VERSION_10
0x0A
The major version of the Windows operating system is 0x0A.
<34> Section 2.2.2.10: In Windows, this field contains one of the following values:
-
Value
Meaning
WINDOWS_MINOR_VERSION_0
0x00
The minor version of the Windows operating system is 0x00.
WINDOWS_MINOR_VERSION_1
0x01
The minor version of the Windows operating system is 0x01.
WINDOWS_MINOR_VERSION_2
0x02
The minor version of the Windows operating system is 0x02.
WINDOWS_MINOR_VERSION_3
0x03
The minor version of the Windows operating system is 0x03.
<35> Section 3.1.1.1: Windows NT Server 4.0 SP3 does not support providing NTLM instead of LM responses.
<36> Section 3.1.1.1: ClientBlocked is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<37> Section 3.1.1.1: ClientBlockExceptions is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<38> Section 3.1.1.1: Except in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, which set this variable to FALSE, Windows sets this variable to TRUE.
<39> Section 3.1.1.1: In Windows NT 4.0 and Windows 2000, the maximum lifetime for the challenge is 30 minutes. In Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the maximum lifetime is 36 hours.
<40> Section 3.1.1.2: Windows exposes these logical parameters to applications through the SSPI interface.
<41> Section 3.1.1.2: ClientSuppliedTargetName is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<42> Section 3.1.1.2: ClientChannelBindingsUnhashed is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<43> Section 3.1.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.
<44> Section 3.1.4: Security Support Provider Interface (SSPI) is the Windows implementation of GSS API [RFC2743].
<45> Section 3.1.4: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<46> Section 3.1.5.1.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<47> Section 3.1.5.1.2: Not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<48> Section 3.1.5.1.2: This functionality is not supported in Windows NT and Windows 2000.
<49> Section 3.1.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<50> Section 3.1.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<51> Section 3.1.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.
<52> Section 3.1.5.2: Connectionless NTLM is supported only in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<53> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<54> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<55> Section 3.1.5.2.1: Not supported by Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<56> Section 3.1.5.2.1: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<57> Section 3.1.5.2.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<58> Section 3.1.5.2.1: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.
<59> Section 3.2.1.1: The default value of this state variable is FALSE. ServerBlock is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008.
<60> Section 3.2.1.1: Except in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, which set this variable to FALSE, Windows sets this value to TRUE.
<61> Section 3.2.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<62> Section 3.2.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<63> Section 3.2.5.1.1: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<64> Section 3.2.5.1.1: Windows NT will set NTLMSSP_NEGOTIATE_TARGET_INFO only if NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is set. Windows 2000, Windows XP, and Windows Server 2003 will set NTLMSSP_NEGOTIATE_TARGET_INFO only if NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY or NTLMSSP_REQUEST_TARGET is set.
<65> Section 3.2.5.1.2: ServerBlock is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<66> Section 3.2.5.1.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<67> Section 3.2.5.1.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.
<68> Section 3.2.5.1.2: MIC fields are not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<69> Section 3.2.5.1.2: Supported by Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
<70> Section 3.2.5.2: Connectionless NTLM is supported only in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<71> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<72> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<73> Section 3.2.5.2.2: Not supported in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
<74> Section 3.2.5.2.2: Supported by Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
<75> Section 3.2.5.2.2: This functionality is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
<76> Section 3.2.5.2.2: Not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.
<77> Section 3.3.1: If the Windows client sends a domain that is unknown to the server, the server tries to perform the authentication against the local database.
<78> Section 3.3.2: If the Windows client sends a domain that is unknown to the server, the server tries to perform the authentication against the local database.
<79> Section 3.4.6: The Windows implementation of GSS_WrapEx() is called EncryptMessage(). For more information, see [MSDN-EncryptMsg].
<80> Section 3.4.7: The Windows implementation of GSS_WrapEx() is called DecryptMessage(). For more information, see [MSDN-DecryptMsg].
<81> Section 5.1: NTLM domain considerations are as follows:
Microsoft DCs determine the minimum security requirements for NTLM authentication between a Windows client and the local Windows domain. Based on the minimum security settings in place, the DC can either allow or refuse the use of LM, NTLM, or NTLM v2 authentication, and servers can force the use of extended session security on all messages between the client and server. In a Windows domain, the DC controls domain-level security settings through the use of Group Policy ([MS-GPOL]), which replicates security policies to clients and servers throughout the local domain.
Domain-level security policies dictated by Group Policy have to be supported on the local system for authentication to take place. During NTLM authentication, clients and servers exchange NTLM capability flags that specify what levels of security they are able to support. If either the client or server's level of security support is less than the security policies of the domain, the authentication attempt is refused by the computer with the higher level of minimum security requirements. This is important for interdomain authentication where differing security policies might be enforced on either domain, and the client or server might not be able to support the security policies of the other's domain.
NTLM security levels are as follows:
The security policies exchanged by the server and client can be set independently of the DC minimum security requirements dictated by Group Policy. Higher local security policies can be exchanged by a client and server in a domain with low minimum-security requirements in connection-oriented authentication during the capability flags exchange. However, during connectionless (datagram-oriented) authentication, it is not possible to exchange higher local security policies because they are strictly enforced by Group Policy. Local security policies that are set independently of the DC are subordinate to domain-level security policies for clients authenticating to a server on the local domain; therefore, it is not possible to use local-system policies that are less secure than domain-level policies.
Stand-alone servers that do not have a DC to authenticate clients set their own minimum security requirements.
NTLM security levels determine the minimum security settings allowed on a client, server, or DC to authenticate in an NTLM domain. The security levels cannot be modified in Windows NT 4.0 operating system Service Pack 3 (SP3) by setting this registry key to one of the following security level values.
-
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ LMCompatibilityLevel
Security-level descriptions:
0: Server sends LM and NTLM response and never uses extended session security. Clients use LM and NTLM authentication, and never use extended session security. DCs accept LM, NTLM, and NTLM v2 authentication.
1: Servers use NTLM v2 session security if it is negotiated. Clients use LM and NTLM authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.
2: Server sends NTLM response only. Clients use only NTLM authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.
3: Server sends NTLM v2 response only. Clients use NTLM v2 authentication and use extended session security if the server supports it. DCs accept LM, NTLM, and NTLM v2 authentication.
4: DCs refuse LM responses. Clients use NTLM authentication and use extended session security if the server supports it. DCs refuse LM authentication but accept NTLM and NTLM v2 authentication.
5: DCs refuse LM and NTLM responses and accept only NTLM v2. Clients use NTLM v2 authentication and use extended session security if the server supports it. DCs refuse NTLM and LM authentication and accept only NTLM v2 authentication.