Previous Topic: Terminology

Next Topic: Kerberos Protocol

Federation Manager Agent for Windows Authentication GuideIntroduction to the CA Federation Manager Agent for Windows AuthenticationNTLM Protocol

NTLM Protocol

NTLM includes various authentication and session security protocols. NTML is based on a challenge-response model, consisting of three types of messages exchanged in the following order:

  1. The client sends a type 1 message (negotiation) to the server. The type 1 message specifies the features supported by the client and requested of the server.
  2. The server sends a type 2 message (challenge) to the client. The primary function of this message is to challenge the identity of the client user.
  3. The client sends a type 3 message (authentication) to the server. The type 3 message includes the domain and user name of the client user and responds to the challenge in the type 2 message.

The following diagram shows how Federation Manager and the Federation Manager Windows Agent use the NTLM protocol:

Windows Agent and NTLM

The following process references annotations in the preceding diagram:

  1. An authentication request is made to Federation Manager at the asserting party.
  2. Federation Manager recognizes the request as delegated authentication and redirects to the Federation Manager Windows Agent.
  3. The Federation Manager Windows Agent sends a response back to the browser.
  4. If the browser is configured for IWA, the browser sends an NTLM Negotiate token (type 1 message) in the authorization header to the Federation Manager Windows Agent.
  5. The Federation Manager Windows Agent sends an NTLM Challenge token (type 2 message) to the browser.
  6. The browser sends an NTLM Authenticate token (type 3 message) to the Federation Manager Windows Agent.
  7. If a security context is associated with a user, the Federation Manager Windows Agent retrieves the user identity from the established context.
  8. The Agent creates an open format cookie containing the user identity information.
  9. The Agent sends the cookie to Federation Manager.
  10. Federation Manager sends a SAML Assertion to the Relying Party to complete federation processing.