2.2.1.1 NEGOTIATE_MESSAGE
The NEGOTIATE_MESSAGE defines an NTLM negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Signature |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
MessageType |
|||||||||||||||||||||||||||||||
|
NegotiateFlags |
|||||||||||||||||||||||||||||||
|
DomainNameFields |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
WorkstationFields |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Version |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Payload (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Signature (8 bytes): An 8-byte character array that MUST contain the ASCII string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').
MessageType (4 bytes): A 32-bit unsigned integer that indicates the message type. This field MUST be set to 0x00000001.
NegotiateFlags (4 bytes): A NEGOTIATE structure that contains a set of flags, as defined in section 2.2.2.5. The client sets flags to indicate options it supports.
DomainNameFields (8 bytes): A field containing DomainName information. The field diagram for DomainNameFields is as follows.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1DomainNameLen
DomainNameMaxLen
DomainNameBufferOffset
-
If the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is set in NegotiateFlags, indicating that a DomainName is supplied in the Payload, the fields are set to the following values:
-
§ DomainNameLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of DomainName in the Payload.
-
§ DomainNameMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of DomainNameLen, and MUST be ignored on receipt.
-
§ DomainNameBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the NEGOTIATE_MESSAGE to DomainName in Payload.
-
Otherwise, if the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag is not set in NegotiateFlags, indicating that a DomainName is not supplied in the Payload, the fields take the following values, and MUST be ignored upon receipt.
DomainNameLen and DomainNameMaxLen fields SHOULD be set to zero.
DomainNameBufferOffset field SHOULD be set to the offset from the beginning of the NEGOTIATE_MESSAGE to where the DomainName would be in Payload if it were present.
WorkstationFields (8 bytes): A field containing WorkstationName information. The field diagram for WorkstationFields is as follows.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1WorkstationLen
WorkstationMaxLen
WorkstationBufferOffset
-
If the NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is set in NegotiateFlags, indicating that a WorkstationName is supplied in the Payload, the fields are set to the following values:
-
§ WorkstationLen (2 bytes): A 16-bit unsigned integer that defines the size, in bytes, of WorkStationName in the Payload.
-
§ WorkstationMaxLen (2 bytes): A 16-bit unsigned integer that SHOULD be set to the value of WorkstationLen and MUST be ignored on receipt.
-
§ WorkstationBufferOffset (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the NEGOTIATE_MESSAGE to WorkstationName in the Payload.
-
Otherwise, if the NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED flag is not set in NegotiateFlags, indicating that a WorkstationName is not supplied in the Payload, the fields take the following values, and MUST be ignored upon receipt.
WorkstationLen and WorkstationMaxLen fields SHOULD be set to zero.
WorkstationBufferOffset field SHOULD be set to the offset from the beginning of the NEGOTIATE_MESSAGE to where the WorkstationName would be in Payload if it were present.
Version (8 bytes): A VERSION structure (as defined in section 2.2.2.10) that is populated only when the NTLMSSP_NEGOTIATE_VERSION flag is set in the NegotiateFlags field; otherwise, it MUST be set to all zero. This structure SHOULD<6> be used for debugging purposes only. In normal (nondebugging) protocol messages, it is ignored and does not affect the NTLM message processing.
Payload (variable): A byte-array that contains the data referred to by the DomainNameBufferOffset and WorkstationBufferOffset fields. Payload data can be present in any order within the Payload field, with variable-length padding before or after the data. The data that can be present in the Payload field of this message, in no particular order, are:
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1DomainName (variable)
...
WorkstationName (variable)
...
-
DomainName (variable): If DomainNameLen does not equal 0x0000, DomainName MUST be a byte-array that contains the name of the client authentication domain that MUST be encoded using the OEM character set. Otherwise, this data is not present.<7>
-
WorkstationName (variable): If WorkstationLen does not equal 0x0000, WorkstationName MUST be a byte array that contains the name of the client machine that MUST be encoded using the OEM character set. Otherwise, this data is not present.