On Wed, 9 Oct 2002, Steven French wrote: > Richard, > In your note below is the Win2K server a member of a domain or standalone > and is it currently able to talk with its Kerberos KDC? What you describe > would make sense (i.e. for the server to use "raw NTLMSSP" and not use > SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate > (the server would probably not be able to offer Kerberos if it is not part > of a domain or if it could not contact its KDC so why even bother with > SPNEGO in that case). > > Very interesting puzzle.
OK, you are right. My guess was wrong. Here is another guess. The traces that I have that go directly to NTLMSSP do not have bit-4 in the Flags2 field set, but do have bit-11 (EXT_SEC) while the trace that I have that has bit-11 set, and uses SPNEGO, has bit-4 set. This bit is undocumented. I bet it is the bit that says, don't use raw NTLMSSP :-) Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], http://www.richardsharpe.com
