//+-------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1992.
//
// File: ntlmsp.h
//
// Contents:
//
// Classes:
//
// Functions:
//
// History: 13-May-92 PeterWi Created
//
//--------------------------------------------------------------------------
#ifndef _NTLMSP_H_
#define _NTLMSP_H_
#include <ntmsv1_0.h>
////////////////////////////////////////////////////////////////////////
//
// Name of the package to pass in to AcquireCredentialsHandle, etc.
//
////////////////////////////////////////////////////////////////////////
#define NTLMSP_NAME_A "NTLM"
#define NTLMSP_NAME L"NTLM"
#define NTLMSP_NAME_SIZE (sizeof(NTLMSP_NAME) - sizeof(WCHAR))
#define NTLMSP_COMMENT_A "NTLM Security Package"
#define NTLMSP_COMMENT L"NTLM Security Package"
#define NTLMSP_CAPABILITIES (SECPKG_FLAG_TOKEN_ONLY | \
SECPKG_FLAG_MULTI_REQUIRED | \
SECPKG_FLAG_CONNECTION | \
SECPKG_FLAG_INTEGRITY | \
SECPKG_FLAG_PRIVACY)
#define NTLMSP_VERSION 1
#define NTLMSP_RPCID 10 // RPC_C_AUTHN_WINNT from rpcdce.h
#define NTLMSP_MAX_TOKEN_SIZE 0x300
////////////////////////////////////////////////////////////////////////
//
// Opaque Messages passed between client and server
//
////////////////////////////////////////////////////////////////////////
#define NTLMSSP_SIGNATURE "NTLMSSP"
//
// MessageType for the following messages.
//
typedef enum {
NtLmNegotiate = 1,
NtLmChallenge,
NtLmAuthenticate,
NtLmUnknown
} NTLM_MESSAGE_TYPE;
//
// Valid values of NegotiateFlags
//
#define NTLMSSP_NEGOTIATE_UNICODE 0x0001 // Text strings are in unicode
#define NTLMSSP_NEGOTIATE_OEM 0x0002 // Text strings are in OEM
#define NTLMSSP_REQUEST_TARGET 0x0004 // Server should return its
// authentication realm
#define NTLMSSP_NEGOTIATE_SIGN 0x0010 // Request signature capability
#define NTLMSSP_NEGOTIATE_SEAL 0x0020 // Request confidentiality
#define NTLMSSP_NEGOTIATE_DATAGRAM 0x0040 // Use datagram style authentication
#define NTLMSSP_NEGOTIATE_LM_KEY 0x0080 // Use LM session key for sign/seal
#define NTLMSSP_NEGOTIATE_NETWARE 0x0100 // NetWare authentication
#define NTLMSSP_NEGOTIATE_NTLM 0x0200 // NTLM authentication
#define NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0x1000 // Domain Name supplied on negotiate
#define NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0x2000 // Workstation Name supplied on negotiate
#define NTLMSSP_NEGOTIATE_LOCAL_CALL 0x4000 // Indicates client/server are same machine
#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x8000 // Sign for all security levels
//
// Valid target types returned by the server in Negotiate Flags
//
#define NTLMSSP_TARGET_TYPE_DOMAIN 0x10000 // TargetName is a domain name
#define NTLMSSP_TARGET_TYPE_SERVER 0x20000 // TargetName is a server name
#define NTLMSSP_TARGET_TYPE_SHARE 0x40000 // TargetName is a share name
//
// Valid requests for additional output buffers
//
#define NTLMSSP_REQUEST_INIT_RESPONSE 0x100000 // get back session keys
#define NTLMSSP_REQUEST_ACCEPT_RESPONSE 0x200000 // get back session key, LUID
#define NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0x400000 // request non-nt session key
//
// Opaque message returned from first call to InitializeSecurityContext
//
typedef struct _NEGOTIATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
ULONG NegotiateFlags;
STRING OemDomainName;
STRING OemWorkstationName;
} NEGOTIATE_MESSAGE, *PNEGOTIATE_MESSAGE;
//
// Old version of the message, for old clients
//
typedef struct _OLD_NEGOTIATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
ULONG NegotiateFlags;
} OLD_NEGOTIATE_MESSAGE, *POLD_NEGOTIATE_MESSAGE;
//
// Opaque message returned from first call to AcceptSecurityContext
//
typedef struct _CHALLENGE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING TargetName;
ULONG NegotiateFlags;
UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
ULONG ServerContextHandleLower;
ULONG ServerContextHandleUpper;
} CHALLENGE_MESSAGE, *PCHALLENGE_MESSAGE;
//
// Old version of the challenge message
//
typedef struct _OLD_CHALLENGE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING TargetName;
ULONG NegotiateFlags;
UCHAR Challenge[MSV1_0_CHALLENGE_LENGTH];
} OLD_CHALLENGE_MESSAGE, *POLD_CHALLENGE_MESSAGE;
//
// Opaque message returned from second call to InitializeSecurityContext
//
typedef struct _AUTHENTICATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING LmChallengeResponse;
STRING NtChallengeResponse;
STRING DomainName;
STRING UserName;
STRING Workstation;
STRING SessionKey;
ULONG NegotiateFlags;
} AUTHENTICATE_MESSAGE, *PAUTHENTICATE_MESSAGE;
typedef struct _OLD_AUTHENTICATE_MESSAGE {
UCHAR Signature[sizeof(NTLMSSP_SIGNATURE)];
NTLM_MESSAGE_TYPE MessageType;
STRING LmChallengeResponse;
STRING NtChallengeResponse;
STRING DomainName;
STRING UserName;
STRING Workstation;
} OLD_AUTHENTICATE_MESSAGE, *POLD_AUTHENTICATE_MESSAGE;
//
// Additional input message to Initialize for clients to provide a
// user-supplied password
//
typedef struct _NTLM_CHALLENGE_MESSAGE {
UNICODE_STRING Password;
UNICODE_STRING UserName;
UNICODE_STRING DomainName;
} NTLM_CHALLENGE_MESSAGE, *PNTLM_CHALLENGE_MESSAGE;
//
// Non-opaque message returned from second call to InitializeSecurityContext
//
typedef struct _NTLM_INITIALIZE_RESPONSE {
UCHAR UserSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
UCHAR LanmanSessionKey[MSV1_0_LANMAN_SESSION_KEY_LENGTH];
} NTLM_INITIALIZE_RESPONSE, *PNTLM_INITIALIZE_RESPONSE;
//
// Additional input message to Accept for trusted client skipping the first
// call to Accept and providing their own challenge
//
typedef struct _NTLM_AUTHENTICATE_MESSAGE {
CHAR ChallengeToClient[MSV1_0_CHALLENGE_LENGTH];
ULONG ParameterControl;
} NTLM_AUTHENTICATE_MESSAGE, *PNTLM_AUTHENTICATE_MESSAGE;
//
// Non-opaque message returned from second call to AcceptSecurityContext
//
typedef struct _NTLM_ACCEPT_RESPONSE {
LUID LogonId;
LARGE_INTEGER KickoffTime;
ULONG UserFlags;
UCHAR UserSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
UCHAR LanmanSessionKey[MSV1_0_LANMAN_SESSION_KEY_LENGTH];
} NTLM_ACCEPT_RESPONSE, *PNTLM_ACCEPT_RESPONSE;
//
// Size of the largest message
// (The largest message is the AUTHENTICATE_MESSAGE)
//
#define NTLMSSP_MAX_MESSAGE_SIZE (sizeof(AUTHENTICATE_MESSAGE) + \
LM_RESPONSE_LENGTH + \
NT_RESPONSE_LENGTH + \
(DNLEN + 1) * sizeof(WCHAR) + \
(UNLEN + 1) * sizeof(WCHAR) + \
(CNLEN + 1) * sizeof(WCHAR))
typedef struct _NTLMSSP_MESSAGE_SIGNATURE {
ULONG Version;
ULONG RandomPad;
ULONG CheckSum;
ULONG Nonce;
} NTLMSSP_MESSAGE_SIGNATURE, *PNTLMSSP_MESSAGE_SIGNATURE;
#define NTLMSSP_MESSAGE_SIGNATURE_SIZE sizeof(NTLMSSP_MESSAGE_SIGNATURE)
//
// Version 1 is the structure above, using stream RC4 to encrypt the trailing
// 12 bytes.
//
#define NTLM_SIGN_VERSION 1
//////////////////////////////////////////////////////////////////////
//
// Control Functions
//
//////////////////////////////////////////////////////////////////////
#define NTLM_CHANGE_PASSWORD 0x0001
#define NTLM_DUMP_CONTEXTS 0x1001
#define NTLM_DUMP_CREDENTIALS 0x1002
#define NTLM_DUMP_SESSIONS 0x1003
//////////////////////////////////////////////////////////////////////
//
// Credential data structures
//
//////////////////////////////////////////////////////////////////////
typedef enum {
Share = 1,
Server,
Domain,
Default
} NTLMCredentialType, *PNTLMCredentialType;
#define NTLM_CRED_REVISION 1
typedef struct _NTLMCredHeader {
ULONG Revision;
ULONG CredentialCount;
ULONG Reserved[2];
} NTLMCredHeader, *PNTLMCredHeader;
typedef struct _NTLMPublicCredential {
NTLMCredentialType CredType;
SECURITY_STRING ssTarget;
SECURITY_STRING ssPassword;
SECURITY_STRING OPTIONAL ssUser;
SECURITY_STRING OPTIONAL ssDomain;
struct _NTLMPublicCredential * pNext;
} NTLMPublicCredential, *PNTLMPublicCredential;
typedef struct _NTLMPublicPrimaryCred {
SECURITY_STRING ssUser;
SECURITY_STRING ssDomain;
SECURITY_STRING ssPassword;
} NTLMPublicPrimaryCred, *PNTLMPublicPrimaryCred;
#endif // _NTLMSP_H_
