On Thu, 10 Oct 2002, Richard Sharpe wrote: > On Wed, 9 Oct 2002, Steven French wrote: > > > Richard, > > In your note below is the Win2K server a member of a domain or standalone > > and is it currently able to talk with its Kerberos KDC? What you describe > > would make sense (i.e. for the server to use "raw NTLMSSP" and not use > > SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate > > (the server would probably not be able to offer Kerberos if it is not part > > of a domain or if it could not contact its KDC so why even bother with > > SPNEGO in that case). > > > > Very interesting puzzle. > > OK, you are right. My guess was wrong. > > Here is another guess. The traces that I have that go directly to NTLMSSP > do not have bit-4 in the Flags2 field set, but do have bit-11 (EXT_SEC) > while the trace that I have that has bit-11 set, and uses SPNEGO, has > bit-4 set. > > This bit is undocumented. I bet it is the bit that says, don't use raw > NTLMSSP :-)
OK, not enough bits ... :-( Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], http://www.richardsharpe.com
