Metze, The AllowNT4Crypto parameter controls whether NT4 crypto, i.e. DES algorithm, is allowed. The default value is false. The RequireStrongKey (NegotiateFlags Bit O - Supports strong keys) was introduced in Windows 2000 and enables the computation of a 128 session key (so-called strong key) by using MD5. The strong key usually refers to the combination of MD5 and RC4. AES/SHA2 support is introduced in Windows 2008 R2, and is labeled by the NegotiateFlags Bit W, as documented in MS-NRPC 3.1.4.2. When set to true, the AllowNT4Crypto allows session negotiation which does not have the STRONG_KEY bit set (NegotiateFlags Bit O). If AllowNT4Crypto is false and STRONG_KEY bit is not set, the server fails the session-key negotiation and returns STATUS_DOWNGRADE_DETECTED. Note that the use of AllowNT4Crypto might have issue with some implementation that went directly to AES without going through RC4. There is an additional RejectMD5Clients registry key (ref. MS-NRPC 3.5.1, and 3.5.5.4.2, Windows 7 / 2008 R2), which will not allow even RC4/MD5 based negotiation to occur, and restricts it only to AES/SHA cryptosystem. The product team will be reflecting this description in the MS-NRPC document. Related KB: http://support.microsoft.com/kb/942564
Regards, Edgar -----Original Message----- From: Edgar Olougouna Sent: Wednesday, July 06, 2011 4:41 PM To: Stefan (metze) Metzmacher; p...@tridgell.net; cifs-proto...@samba.org Subject: [REG: 111070650721347] Behavior of AllowNT4Crypto [Adding case number] Metze, I am taking care of this. I have opened a document issue on MS-NRPC. I will follow-up as soon as I have news. Regards, Edgar -----Original Message----- From: Josh Curry Sent: Tuesday, July 05, 2011 10:21 AM To: Stefan (metze) Metzmacher; Interoperability Documentation Help; p...@tridgell.net; cifs-proto...@samba.org Subject: RE: Behavior of AllowNT4Crypto Hi Stefan, thank you for your question. A member of the protocol documentation team will be in touch with you soon. Josh Curry Escalation Engineer 469.775.7215 Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at allis...@microsoft.com. -----Original Message----- From: Stefan (metze) Metzmacher [mailto:me...@samba.org] Sent: Tuesday, July 05, 2011 2:04 AM To: Interoperability Documentation Help; p...@tridgell.net; cifs-proto...@samba.org Subject: Behavior of AllowNT4Crypto Hi, can you please document the behavior that is triggered by the following parameter. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters] "AllowNT4Crypto"=dword:00000001 I can't find this in MS-NRPC. Is there any interaction with the RequireStrongKey parameter? Thanks! metze _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
