Thanks you again! Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: 980-776-8200 CELL: 704-661-5438 FAX: 704-665-9606 We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
-----Original Message----- From: Adam Simpkins [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2008 7:23 PM To: Bill Wesse Cc: '[EMAIL PROTECTED]' Subject: Re: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053 On Mon, Aug 04, 2008 at 01:48:37PM -0700, Adam Simpkins wrote: > On Mon, Aug 04, 2008 at 04:17:29AM -0700, Bill Wesse wrote: > > Good morning once again. You noted in your question that you can > > provide a network trace of the NTLM behavior you reported. I would > > deeply appreciate it if you would send one to me. Could you also > > note the OS versions of the client and server (just in case, even > > though the NtlmsspAuthenticaeMessage may contain a Version > > structure. Here's another trace of a Windows XP SP3 client sending raw NTLMSSP (no SPNEGO) to a server. This server is just a proxy in front of a Windows Server 2003 machine, but I configured it to strip off the securit blob from the server's NEGOTIATE response before sending it to the client. This causes the client to send raw NTLMSSP instead of SPNEGO. Based on the documentation in MS-SMB 2.2.4 and MS-SMB 3.2.4.2.3, I would expect the client to send a GSS authentication token here (i.e., an InitialContextToken). However, in this case the client sends raw NTLMSSP data. A resonable explanation for this would be that Microsoft's GSS-API implementation accepts raw NTLMSSP data for the first token, in addition to normal GSS InitialContextTokens. I think this is what item <8> of MS-SPNG Appendix A is trying to explain, but it mentions this as an extension of SPNEGO, not GSS-API. Assuming that this is a general extension that Microsoft has made to their GSS-API implementation, this would also explain the lack of the InitialContextToken for NTLMSSP when SPNEGO is used. Another related point that should probably be documented is that Windows servers do not seem to accept well-formed GSS InitialContextTokens containing NTLMSSP. I have attached a trace of that, too. (The server is the same Windows Server 2003 system as in the other traces.) -- Adam Simpkins [EMAIL PROTECTED] _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
