Richard, In your note below is the Win2K server a member of a domain or standalone and is it currently able to talk with its Kerberos KDC? What you describe would make sense (i.e. for the server to use "raw NTLMSSP" and not use SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate (the server would probably not be able to offer Kerberos if it is not part of a domain or if it could not contact its KDC so why even bother with SPNEGO in that case).
Very interesting puzzle. Subject: Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO Hi, I have a trace of a client talking to a Win2K server, where the server decides to use raw NTLMSSP, but I also have a trace of a Win2K machine joining a WinXP domain. In the latter case, the WinXP machine decides to use SPNEGO, not raw NTLMSSP. The only difference I can see is in the list of protocols offered in the NegProt. In all the examples I have looked at, it looks like Win2K and above choose raw NTLMSSP if they are offered only one dialect, NT LM 0.12. However, if they are offered more than one dialect, they seem to choose SPNEGO. Guess I will have to check tomorrow. Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], Steve French Senior Software Engineer Linux Technology Center - IBM Austin phone: 512-838-2294 email: [EMAIL PROTECTED]
