3.1.1.2 Variables Exposed to the Application

The following parameters are provided by the application to the NTLM client. These logical parameters can influence various protocol-defined flags.<40>

Note The following variables are logical, abstract parameters that an implementation MUST maintain and expose to provide the proper level of service. How these variables are maintained and exposed is up to the implementation.

Integrity: A Boolean setting that indicates that the caller requests that messages be signed so that they cannot be tampered with while in transit. Setting this flag results in the NTLMSSP_NEGOTIATE_SIGN flag being set in the NegotiateFlags field of the NTLM NEGOTIATE_MESSAGE.

Replay Detect: A Boolean setting that indicates that the caller requests that messages be signed so that they cannot be replayed. Setting this flag results in the NTLMSSP_NEGOTIATE_SIGN flag being set in the NegotiateFlags field of the NTLM NEGOTIATE_MESSAGE.

Sequence Detect:  A Boolean setting that indicates that the caller requests that messages be signed so that they cannot be sent out of order. Setting this flag results in the NTLMSSP_NEGOTIATE_SIGN flag being set in the NegotiateFlags field of the NTLM NEGOTIATE_MESSAGE.

Confidentiality: A Boolean setting that indicates that the caller requests that messages be encrypted so that they cannot be read while in transit. If the Confidentiality option is selected by the client, NTLM performs a bitwise OR operation with the following NTLM Negotiate Flags into the ClientConfigFlags. (The ClientConfigFlags indicate which features the client host supports.)

 NTLMSSP_NEGOTIATE_SEAL
 NTLMSSP_NEGOTIATE_KEY_EXCH
 NTLMSSP_NEGOTIATE_LM_KEY
 NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY

Datagram: A Boolean setting that indicates that the connectionless mode of NTLM is to be selected. If the Datagram option is selected by the client, then connectionless mode is used and NTLM performs a bitwise OR operation with the following NTLM Negotiate Flag into the ClientConfigFlags.

 NTLMSSP_NEGOTIATE_DATAGRAM

Identify: A Boolean setting that indicates that the caller wants the server to know the identity of the caller, but that the server not be allowed to impersonate the caller to resources on that system. Setting this flag results in the NTLMSSP_NEGOTIATE_IDENTIFY flag being set. Indicates that the GSS_C_IDENTIFY_FLAG flag was set in the GSS_Init_sec_context call, as discussed in [RFC4757] section 7.1, and results in the GSS_C_IDENTIFY_FLAG flag set in the authenticator's checksum field ([RFC4757] section 7.1).

The following variables are used by applications for channel binding token support:

ClientSuppliedTargetName: Service principal name (SPN) of the service to which the client wishes to authenticate. This value is optional.<41>

ClientChannelBindingsUnhashed: An octet string provided by the application used for channel binding. This value is optional.<42>

UnverifiedTargetName: A Boolean setting that indicates that the caller generated the target's SPN from an untrusted source. This value is optional.<43>