[cifs-protocol] [REG: 111070650721347] Behavior of AllowNT4Crypto
Edgar Olougouna
edgaro at microsoft.com
Mon Jul 11 15:27:01 MDT 2011
Metze,
The AllowNT4Crypto parameter controls whether NT4 crypto, i.e. DES algorithm, is allowed. The default value is false.
The RequireStrongKey (NegotiateFlags Bit O - Supports strong keys) was introduced in Windows 2000 and enables the computation of a 128 session key (so-called strong key) by using MD5. The strong key usually refers to the combination of MD5 and RC4.
AES/SHA2 support is introduced in Windows 2008 R2, and is labeled by the NegotiateFlags Bit W, as documented in MS-NRPC 3.1.4.2.
When set to true, the AllowNT4Crypto allows session negotiation which does not have the STRONG_KEY bit set (NegotiateFlags Bit O). If AllowNT4Crypto is false and STRONG_KEY bit is not set, the server fails the session-key negotiation and returns STATUS_DOWNGRADE_DETECTED.
Note that the use of AllowNT4Crypto might have issue with some implementation that went directly to AES without going through RC4. There is an additional RejectMD5Clients registry key (ref. MS-NRPC 3.5.1, and 3.5.5.4.2, Windows 7 / 2008 R2), which will not allow even RC4/MD5 based negotiation to occur, and restricts it only to AES/SHA cryptosystem.
The product team will be reflecting this description in the MS-NRPC document.
Related KB: http://support.microsoft.com/kb/942564
Regards,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Wednesday, July 06, 2011 4:41 PM
To: Stefan (metze) Metzmacher; pfif at tridgell.net; cifs-protocol at samba.org
Subject: [REG: 111070650721347] Behavior of AllowNT4Crypto
[Adding case number]
Metze,
I am taking care of this. I have opened a document issue on MS-NRPC. I will follow-up as soon as I have news.
Regards,
Edgar
-----Original Message-----
From: Josh Curry
Sent: Tuesday, July 05, 2011 10:21 AM
To: Stefan (metze) Metzmacher; Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Behavior of AllowNT4Crypto
Hi Stefan, thank you for your question. A member of the protocol documentation team will be in touch with you soon.
Josh Curry
Escalation Engineer
469.775.7215
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at allisong at microsoft.com.
-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Tuesday, July 05, 2011 2:04 AM
To: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Behavior of AllowNT4Crypto
Hi,
can you please document the behavior that is triggered by the following parameter.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters]
"AllowNT4Crypto"=dword:00000001
I can't find this in MS-NRPC.
Is there any interaction with the RequireStrongKey parameter?
Thanks!
metze
More information about the cifs-protocol
mailing list