[cifs-protocol] Response (document change proposals): raw NTLMSSP
tokens in GSS-API/SPNEGO? SRX080803600053
Bill Wesse
billwe at microsoft.com
Wed Aug 13 16:59:37 GMT 2008
Good afternoon Mr. Simpkins. I have reviewed your comments, with respect to my earlier answers to your original questions.
I have summarized my research below, in the form of (rough-cut) change proposals for the [MS-SPNG] and [MS-SMB] documents.
I certainly invite you to suggest amendments, changes, and so forth, to ensure the change requests I will submit to documentation development satisfy your needs fully (there was quite a bit of earlier detail to parse; hopefully I haven't missed anything).
-----------------------------------------------------------------------------
[MS-SPNG]: Simple and Protected Generic Security Service Application Program
Interface Negotiation Mechanism (SPNEGO) Protocol Extensions
Change:
3.1.5.2 mechTypes Identification of Kerberos
<5>
To:
3.1.5.2 mechTypes Identification of Kerberos
Windows XP, Windows Server 2003, Windows Vista, and Windows Server offer and
receive the mechType 1.2.840.113554.1.2.2 (Generic Security Service
Application Program Interface) when using Kerberos Version 5 technology),
{ iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
krb5(2) }.<5>
-----------------------------------------------------------------------------
[MS-SMB]: Server Message Block (SMB) Protocol Specification
3.2.4.2.3 User Authentication
Add a <Windows Behavior #> reference (suggested text shown below) to the
'Extended Security' subtopic.
<Windows Behavior #>
Windows accepts raw NTLM messages that are not embedded in [RFC4178] SPNEGO
messages ([MS-SPNG] 3.2.5.2 Universal Receiver) in the SecurityBlob of an
SMB_COM_SESSION_SETUP_ANDX request packet. This was introduced in the NTLMv2
implementation of Windows NT 4 Service Pack 4.
Note: See the attached:
raw_ntlmssp.cap frame 7.
GSSAPI/SPNEGO support for Kerberos and NTLMSSP was introduced in Windows
2000.
[RFC4178] section 3.2 (c)' implies a new inner context should be established.
This is done with Kerberos, but not with NTLMSSP. Additionally, Windows does
not accept GSS InitialContextTokens containing NTLMSSP within a new inner
context.
Note: See the attached:
spnego_krb.cap frame 7
spnego_ntlmssp.cap frame 6.
gss_ntlmssp.cap frame 7 (server responds with STATUS_INVALID_PARAMETER)
-----------------------------------------------------------------------------
Detail from Captures.zip.bin (attached):
raw_ntlmssp.cap frame 7:
[Windows XpSp3 to Windows 2003]
- Smb: C; Session Setup Andx
Protocol: SMB
Command: Session Setup Andx 115(0x73)
+ NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS
- SMBHeader: Command, TID: 0x0000, PID: 0xFEFF, UID: 0x0000, MID: 0x0040
- Flags: 24 (0x18)
CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE)
Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS)
FromServer: (0.......) Command - SMB is being sent from the client (SMB_FLAGS_SERVER_TO_REDIR)
- Flags2: 51207 (0xC807)
KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES)
ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS)
SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE)
ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY)
StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS)
Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE)
+ TCPIPSecuritySignature:
Reserved: 0 (0x0)
TreeID: 0 (0x0)
ProcessID: 65279 (0xFEFF)
UserID: 0 (0x0)
MultiplexID: 64 (0x40)
- CSessionSetupAndXNTLMESS:
WordCount: 12 (0xC)
ANDXCommand: No Secondary Command 255(0xFF)
AndXReserved: 0 (0x0)
ANDXOffset: 202 (0xCA)
MaxBufferSize: 4356 (0x1104)
MaxMpxCount: 50 (0x32)
VcNumber: 0 (0x0)
SessionKey: 0 (0x0)
SecurityBlobLength: 40 (0x28)
Reserved: 0 (0x0)
- Capabilities: 0xA00000D4
Unicode: (.............................1..) Supports Unicode Strings (CAP_UNICODE)
NTSMBs: (...........................1....) Supports SMB NTLM 0.12 dialect commands (implies CAP_NT_FIND) (CAP_NT_SMBS)
NTStatus: (.........................1......) Can respond with 32-bit NT status codes in Status (CAP_NT_STATUS)
LevelIIOplocks: (........................1.......) Supports Level II oplocks ( CAP_LEVEL_II_OPLOCKS)
DynamicReauth: (..1.............................) Supports dynamic reauthorization (CAP_DYNAMIC_REAUTH)
ExtenedSecurity: (1...............................) Supports extended security exchange (CAP_EXTENDED_SECURITY)
ByteCount: 143 (0x8F)
SecurityBlob:
- UnicodeParameters:
+ Align: 0 Bytes
NativeOS: Windows 2002 Service Pack 3 2600
NativeLANMan: Windows 2002 5.1
ANDXPadding: Binary Large Object (2 Bytes)
- NtlmSSP: NTLM NEGOTIATE MESSAGE
Signature: NTLMSSP
MessageType: Negotiate Message (0x00000001)
- NtlmsspNegotiateMessage:
+ NegotiateFlags: 0xA2088207 (NTLM v2128-bit encryption, Always Sign)
+ WorkstationDomainHeader: Length: 0, Offset: 0
+ WorkstationNameHeader: Length: 0, Offset: 0
+ Version: Windows 5.1 Build 10250 NTLMSSPv15
spnego_ntlmssp.cap frame 6:
[Windows XpSp3 to Windows 2003]
- GssApi:
+ ApplicationHeader:
+ ThisMech: SpnegoToken (1.3.6.1.5.5.2) ([RFC2078])
- InnerContextToken: 0x1
- SpnegoToken: 0x1
+ Tag0:
- NegTokenInit: ([RFC2478] NegotiationToken, negTokenInit [0] NegTokenInit)
+ SequenceHeader:
+ Tag0:
- MechTypes: ([RFC2478] mechTypes [0] MechTypeList OPTIONAL)
+ SequenceHeader:
+ MechType: NtlmSsp (1.3.6.1.4.1.311.2.2.10)
+ Tag2: ([RFC2478] mechToken [2] OCTET STRING OPTIONAL)
+ OctetStringHeader:
MechToken: 0x1 (NtlmSsp: NTLM NEGOTIATE MESSAGE)
- NtlmSsp: NTLM NEGOTIATE MESSAGE
Signature: NTLMSSP
MessageType: Negotiate Message (0x00000001)
- NtlmsspNegotiateMessage:
+ NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)
+ WorkstationDomainHeader: Length: 0, Offset: 0
+ WorkstationNameHeader: Length: 0, Offset: 0
+ Version: Windows 5.1 Build 10250 NTLMSSPv15
spnego_krb.cap frame 7:
[Windows XpSp3 to Windows 2003]
- GssApi:
+ ApplicationHeader:
+ ThisMech: SpnegoToken (1.3.6.1.5.5.2)
- InnerContextToken: 0x1
- SpnegoToken: 0x1
+ Tag0:
- NegTokenInit: ([RFC2478] NegotiationToken, negTokenInit [0] NegTokenInit)
+ SequenceHeader:
+ Tag0:
+ MechTypes: ([RFC2478] mechTypes [0] MechTypeList OPTIONAL)
+ Tag2: ([RFC2478] mechToken [2] OCTET STRING OPTIONAL)
+ OctetStringHeader:
- MechToken: 0x1
+ MsKerberosToken: 0x1
- GssApi: ([RFC4178] section 3.2 (c))
+ ApplicationHeader:
+ ThisMech: KerberosToken (1.2.840.113554.1.2.2)
+ InnerContextToken: 0x1
gss_ntlmssp.cap frame 7 (server responds with STATUS_INVALID_PARAMETER):
[Windows XpSp3 to Windows 2003]
- SecurityBlob:
- GssApi:
- ApplicationHeader:
+ AsnId: Application Constructed Tag (0)
+ AsnLen: Length = 44, LengthOfLength = 0
- ThisMech: NtlmSsp (1.3.6.1.4.1.311.2.2.10)
+ MechType: NtlmSsp (1.3.6.1.4.1.311.2.2.10)
InnerContextToken: 0x1
+ UnicodeParameters:
ANDXPadding: Binary Large Object (2 Bytes)
- NtlmSsp: NTLM NEGOTIATE MESSAGE
Signature: NTLMSSP
MessageType: Negotiate Message (0x00000001)
- NtlmsspNegotiateMessage:
+ NegotiateFlags: 0xA0000217 (NTLM v1128-bit encryption, , Sign)
+ WorkstationDomainHeader: Length: 0, Offset: 0
+ WorkstationNameHeader: Length: 0, Offset: 0
Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: 980-776-8200
CELL: 704-661-5438
FAX: 704-665-9606
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Captures.zip.bin
Type: application/octet-stream
Size: 6984 bytes
Desc: Captures.zip.bin
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080813/afb8ae7c/Captures.zip.bin
More information about the cifs-protocol
mailing list