Agent for Windows Authentication Guide › Introduction to the Federation Agent for Windows Authentication › NTLM Protocol

NTLM Protocol

NTLM includes various authentication and session security protocols. NTML is based on a challenge-response model, consisting of three types of messages exchanged in the following order:

1. The client sends a type 1 message (negotiation) to the server. The type 1 message specifies the features supported by the client and requested of the server.
2. The server sends a type 2 message (challenge) to the client. The primary function of this message is to challenge the identity of the client user.
3. The client sends a type 3 message (authentication) to the server. The type 3 message includes the domain and user name of the client user and responds to the challenge in the type 2 message.

The following graphic shows how CA SiteMinder® Federation Standalone and the Federation Agent for Windows Authentication use the NTLM protocol:

The following process references annotations in the preceding diagram:

1. An authentication request is made to federation system at the asserting party.
2. The federation system recognizes the request as a delegated authentication request and redirects to the request to the Federation Agent.
3. The Agent sends a response back to the browser.
4. If the browser is configured for IWA, the browser sends an NTLM Negotiate token (type 1 message) in the authorization header to the Federation Agent.
5. The Federation Agent sends an NTLM Challenge token (type 2 message) to the browser.
6. The browser sends an NTLM Authenticate token (type 3 message) to the Federation Agent.
7. If a security context is associated with a user, the Federation Agent retrieves the user identity from the established context.
8. The Agent creates an open format cookie containing the user identity information.
9. The Agent sends the cookie to the federation system.
10. The federation system sends an assertion to the relying party to complete federation processing.