Because of a vulnerability that has been found in Exchange Server I was trying to run that attack on our local system to see if the workaround can successfully prevent it.
I found a description of NTLM Authentication for HTTP which describes three messages in an NTLM handshake, namely Type 1, 2 and 3. The first one uses only the host name of the client machine and the domain name for generating the hash value. The second one is the server's challenge and the final one that ultimately authenticates the user to the server is created by the client using the nonce from the challenge and also user name and password.
When connecting to the Exchange Web Service using my credentials I was able to extract the correct user name from the Type-3 (AUTHENTICATION) message. But when I looked at the AUTHENTICATION message that the server sent when sending a push message there was neither a user name nor a domain or host name in it.
Also in another question it has been pointed out that in the first step of an NTLM authentication the client sends the user name to the server which seems not to have been the case here. What am I missing? Are there different variations of messages and flows for NTLM authentication via HTTP and other protocols?