From my experience, read below...
From: "Christopher R. Hertel" <[EMAIL PROTECTED]>Changing the registry setting either turns on or off NTLMv2. The server can guess which is being used by the client based on the blob lengths. The modes documented by MS to allow negotiation do nothing. There is no way in the NegProt or SessionSetupX to negotiate this.
To: [EMAIL PROTECTED]
Subject: NTLMv2 Session Security
Date: Thu, 6 Feb 2003 13:24:42 -0600
While trying to document NTLMv2 authentication, I stumbled across
something known as NTLMv2 Session Security. Does anyone know what this
is? I can set
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel
to 1 to "enable" NTLMv2 Session Security, but I'm not sure what it does.
Some sources say that it allows the client and server to 'negotiate' the
use of NTLMv2 challenge/response (how?). Other sources say that it
provides message integrity and confidentiality (how?).
NTLMv2 does not provide integrity or confidentiality. For Integrity to happen the flags2 Security Signature bit needs to be set in the SMB header when doing a Session Setup. I'm not sure that NTLMv2 needs to be used as well.
Confidentiality I've never seen happen.
I've played with this enough to know that enabling NTLMv2 Session Security does not enable SMB packet signing (MAC signing). There's a different set of registry variables for that. Perhaps they all interact with one another...Clues welcome. Chris -)----- -- Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/ -)----- [EMAIL PROTECTED]
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
