How to do NTLM authentication for Lync server 2013 in delphi?

Question

I am trying to authenticate an application from a client to a Lync server 2013 softphone using the NTLM method in SIP. But I'm not sure how to do the AUTHENTICATE_MESSAGE part of it.

here is what I am doing for the Authorization part of the SIP message :

if CSeq = '1' then
begin
  // First message is to get the server authentication methods and realm/targetname
  result := result + '';
end
else if CSeq = '2' then
begin
  // On the second message, I pass the realm and targetname, corresponding to the negociate message
  result := result + 'Authorization: NTLM qop="'+mQop+'", realm="'+mRealm+'", targetname="'+mTargetName+'", version='+mVersion+', gssapi-data="" ' + #13#10;
end
else if CSeq = '3' then
begin
  if StrToInt(mVersion) > 3 then
  begin
    result := result + 'Authorization: NTLM opaque="'+mOpaque+'", qop="'+mQop+'", realm="'+mRealm+'", targetname="'+mTargetName+'", '+
                       'gssapi-data="'+**ProcessedChallenge**+'", version='+mVersion+', crand="'+CNONCE+'", '+
                       'cnum="'+NONCECOUNT+'", response="'+**response**+'"' + #13#10;
  end
  else
  begin
    result := result + 'Authorization: NTLM opaque="'+mOpaque+'", qop="'+mQop+'", realm="'+mRealm+'", targetname="'+mTargetName+'", '+
                       'gssapi-data="'+**ProcessedChallenge**+'", version='+mVersion + #13#10;
  end;    
end

The thing is, I'm not sure of how to generate the "ProcessedChallenge" and "response" value in the third message. The rest seems to be ok, but just in case, here are the traces :

REGISTER sip:novotest.ca SIP/2.0
Via: SIP/2.0/TLS 192.168.20.180:5061
Max-Forwards: 70
Supported: replaces
Contact: <sip:192.168.20.180:5061;transport=tls>
To: <sip:mcote@novotest.ca>
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 1 REGISTER
Expires: 3600
User-Agent: KOMUTEL SIP
Content-Length: 0


SIP/2.0 401 Unauthorized
Date: Mon, 03 Feb 2014 20:03:12 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/qa121vm179.Novotest.ca", version=4
WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4, sts-uri="https://qa121vm179.novotest.ca:443/CertProv/CertProvisioningService.svc"
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
To: <sip:mcote@novotest.ca>;tag=FA72F83E7EA12109F5E9C2E8F087DA00
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 1 REGISTER
Via: SIP/2.0/TLS 192.168.20.180:5061;ms-received-port=5061;ms-received-cid=164200
Server: RTC/5.0
Content-Length: 0


REGISTER sip:novotest.ca SIP/2.0
Via: SIP/2.0/TLS 192.168.20.180:5061
Max-Forwards: 70
Supported: replaces
Contact: <sip:192.168.20.180:5061;transport=tls>
To: <sip:mcote@novotest.ca>
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 2 REGISTER
Expires: 3600
User-Agent: KOMUTEL SIP
Supported: gruu-10
Authorization: NTLM qop="auth", realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4, gssapi-data="" 
Content-Length: 0


SIP/2.0 401 Unauthorized
Date: Mon, 03 Feb 2014 20:03:12 GMT
WWW-Authenticate: NTLM opaque="AF511061", gssapi-data="TlRMTVNTUAACAAAAAAAAADgAAADzgpjixfrJRZMjjbQAAAAAAAAAAKAAoAA4AAAABgOAJQAAAA8CABAATgBPAFYATwBUAEUAUwBUAAEAFABRAEEAMQAyADEAVgBNADEANwA5AAQAFgBOAG8AdgBvAHQAZQBzAHQALgBjAGEAAwAsAHEAYQAxADIAMQB2AG0AMQA3ADkALgBOAG8AdgBvAHQAZQBzAHQALgBjAGEABQAWAE4AbwB2AG8AdABlAHMAdAAuAGMAYQAHAAgAlvq/9xohzwEAAAAA", targetname="qa121vm179.Novotest.ca", realm="SIP Communications Service", version=4
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
To: <sip:mcote@novotest.ca>;tag=FA72F83E7EA12109F5E9C2E8F087DA00
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 2 REGISTER
Via: SIP/2.0/TLS 192.168.20.180:5061;ms-received-port=5061;ms-received-cid=164200
Server: RTC/5.0
Content-Length: 0


REGISTER sip:novotest.ca SIP/2.0
Via: SIP/2.0/TLS 192.168.20.180:5061
Max-Forwards: 70
Supported: replaces
Contact: <sip:192.168.20.180:5061;transport=tls>
To: <sip:mcote@novotest.ca>
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 3 REGISTER
Expires: 3600
User-Agent: KOMUTEL SIP
Supported: gruu-10
Authorization: NTLM opaque="AF511061", qop="auth", realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", gssapi-data="TlRMTVNTUAADAAAAGAAYAIoAAAAYABgAogAAABYAFgBAAAAAIgAiAFYAAAASABIAeAAAAAAAAAAAAAAABYIAAE4AbwB2AG8AdABlAHMAdAAuAGMAYQBtAGMAbwB0AGUAQABuAG8AdgBvAHQAZQBzAHQALgBjAGEAbABvAGMAYQBsAGgAbwBzAHQADgbcHeX1D8Dq+saY48dGAFVvXh3zWvVzSiDDtTv/vAPWH5sdqkMSRL4r6raCjCOQ", version=4, crand="0b5f113e", cnum="1", response="0100000024A95BA08AA3947964000000" 
Content-Length: 0


SIP/2.0 401 Unauthorized
Date: Mon, 03 Feb 2014 20:03:12 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/qa121vm179.Novotest.ca", version=4
WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4, sts-uri="https://qa121vm179.novotest.ca:443/CertProv/CertProvisioningService.svc"
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
To: <sip:mcote@novotest.ca>;tag=FA72F83E7EA12109F5E9C2E8F087DA00
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 3 REGISTER
Via: SIP/2.0/TLS 192.168.20.180:5061;ms-received-port=5061;ms-received-cid=164200
ms-diagnostics: 1000;reason="Final handshake failed";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)";source="qa121vm179.Novotest.ca"
Server: RTC/5.0
Content-Length: 0

I tried Indy's SSPI and OverbyteICS's authentication method without success. Does a way of doing this in delphi exists? If yes, how to do it?