On Sat, 12 Nov 2005, Andrew Bartlett wrote:
Some day I'll figure out how this fits into the windows SamLogon system. I'm told it does, but I just don't know how...
For one it's a different SSP, and completely different authentication mechanism.
It also seems that the mechanism used may differ between 2000 and 2003. Remember seeing some significant differences in "client server" requirements which made me suspect they had significantly redone things, but I do not remember in detail now. But I remember having the reaction that I felt they had probably extracted the plaintext password in earlier versions and now switched to using Digest to the DC to protect the users password.
Ideally Digest is integrated using Digest MD5-sess over a trusted channel returning the MD5-sess HA1 hash together with the successful response allowing the "client server" to process authentication directly for the rest of the session (until the server nonce expires). Even more preferred also taking the server nonce (similar to a challenge) as input similar to what is done for NTLM verification in SamLogin. But given the small detail that MSIE does not support MD5-sess or even nonce reuse I somehow doubt they support any of this effectively..
Regards Henrik
