Authentication::WindowsAuth:

The server name is authentication_windows
The client name is authentication_windows_client

The Windows Native Authentication method is more complex than the other methods and extends the auth protocol as it has to send more data forth and back than the old handshake permitted.

Basically it wraps the output of the [Negotiate SSP]("http://msdn.microsoft.com/en-us/library/windows/desktop/aa378748(v=VS.85).aspx") in the Auth Phase protocol which either means NTLM or SPNEGO are used as underlying protocol.

Due to the implementation details the Windows Native Authentication method doesn't use the fast path of the Connection Phase, but is only triggered on request as part of the Protocol::AuthSwitchRequest: packet.

Note

Due to implementation details (again) the first packet sent from the client to the server is expected to be either

254 bytes long max or
send the first 254 bytes first, appended by 1 byte with a magic value plus a 2nd packet with rest of the data

Also following windows authentication packets don't get split.

The client will send either a SPNEGO or a NTLM packet as a next packet.

To implement the protocol one can use several existing implementations:

MS Windows provides InitializeSecurityContextW and AcceptSecurityContext
A open source implementation of NTML, SPNEGO and Kerberos5 are provided by Heimdal
Java6 added SPNEGO support to JGSS which also provides the NTLM and Kerberos5 support.

See also: win_auth_handshake_client

NTLM

Note: Removed in Windows Vista and 2008; Documented in MSDN

SPNEGO

Uses GSS-API as protocol and negotiates the proper auth-method automatically.

Tip

To decode these packets by hand you need to read:

RFC2473 Section 3.1: Mechanism-independent Token Format
RFC4178 Section 4: Token Definitions
X.680 ASN.1
X.690 DER