I'm having a hard time trying to find how NLMP (shorthand for "NT LAN Manager (NTLM) Authentication Protocol") handles NTLM versions that are different from what the server expects.
Microsoft provides examples for NTLMv1, NTLMv1 with Client challenge and NTLMv2 authentication.
My first instinct was to check the negotiate flags. I found one that I thought was the one which "negotiated" the version.
Microsoft says that a Negotiate Flag called NTLMSSP_NEGOTIATE_NTLM if set, quote,
requests usage of the NTLM v1 session security protocol. NTLMSSP_NEGOTIATE_NTLM MUST be set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client.
However, the flag in question appears to be set in every single protocol example mentioned above in the CHALLENGE and AUTHENTICATE packets. I couldn't find any other negotiate flags that mentioned NTLM versions (expect for NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY, but, as Microsoft themselves said, it's a "misnomer").
After more searching through out the documentation, I came across this interesting note:
Note The LM and NTLM authentication versions are not negotiated by the protocol. It MUST be configured on both the client and the server prior to authentication. The NTOWF v1 function defined in this section is NTLM version-dependent and is used only by NTLM v1. The LMOWF v1 function defined in this section is also version-dependent and is used only by LM and NTLM v1.
So I guess NTLMSSP_NEGOTIATE_NTLM was a red herring after all. This note does clear up the question of where do the NTLM versions get set (on the client side, by the client), but it does not describe what will happen if, for example, you would try to access a NTLMv1 server using NTLMv2. If it could help in answering the question more accurately, I'm interested in later implementing the WinRM protocol. I also need to support both NTLMv1 and NTLMv2.
I'm currently writing a library from scratch to handle this entire protocol specification (not WinRM, currently only NLMP), and I currently not knowledgeable enough to know all the grimy details of implementing it. All I need is at least an example of such a thing being handled by other libraries like GSS (and preferably with the NLMP messages themselves).
I couldn't find any mention of this in the official Microsoft docs and I do not know how other libraries handle such cases. I've tried going through some source code, but couldn't find what thought was relevant to the question.
