[cifs-protocol] Re: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053

Adam Simpkins simpkins at cisco.com
Mon Aug 4 20:48:37 GMT 2008

On Mon, Aug 04, 2008 at 04:17:29AM -0700, Bill Wesse wrote:
> Good morning once again. You noted in your question that you can
> provide a network trace of the NTLM behavior you reported. I would
> deeply appreciate it if you would send one to me. Could you also
> note the OS versions of the client and server (just in case, even
> though the NtlmsspAuthenticaeMessage may contain a Version
> structure.

Please find a trace attached.  This was taken between a client running
Windows XP SP3 and a server running Windows Server 2003 SP2
(Enterprise Edition).

Frame 6 contains the initial SESSION_SETUP_ANDX request.  This
contains a GSS-API InitialContextToken that uses SPNEGO.  The
mechToken inside the SPNEGO NegTokenInit contains just raw NTLMSSP
data.  According to RFC 4178 section 3.2 item (c), this should be a
GSS InitialContextToken.

I have also included a trace of the same client and server, but using
Kerberos over SPNEGO.  In this trace, the mechToken is a GSS

Adam Simpkins
simpkins at cisco.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spnego_ntlmssp.pcap
Type: application/cap
Size: 2307 bytes
Desc: not available
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080804/83573f8f/spnego_ntlmssp.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spnego_krb.pcap
Type: application/cap
Size: 4273 bytes
Desc: not available
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080804/83573f8f/spnego_krb.bin

More information about the cifs-protocol mailing list