[cifs-protocol] Re: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053

Adam Simpkins simpkins at cisco.com
Mon Aug 4 23:23:07 GMT 2008

On Mon, Aug 04, 2008 at 01:48:37PM -0700, Adam Simpkins wrote:
> On Mon, Aug 04, 2008 at 04:17:29AM -0700, Bill Wesse wrote:
> > Good morning once again. You noted in your question that you can
> > provide a network trace of the NTLM behavior you reported. I would
> > deeply appreciate it if you would send one to me. Could you also
> > note the OS versions of the client and server (just in case, even
> > though the NtlmsspAuthenticaeMessage may contain a Version
> > structure.

Here's another trace of a Windows XP SP3 client sending raw NTLMSSP
(no SPNEGO) to a server.  This server is just a proxy in front of a
Windows Server 2003 machine, but I configured it to strip off the
securit blob from the server's NEGOTIATE response before sending it to
the client.  This causes the client to send raw NTLMSSP instead of

Based on the documentation in MS-SMB 2.2.4 and MS-SMB, I
would expect the client to send a GSS authentication token here (i.e.,
an InitialContextToken).  However, in this case the client sends raw

A resonable explanation for this would be that Microsoft's GSS-API
implementation accepts raw NTLMSSP data for the first token, in
addition to normal GSS InitialContextTokens.  I think this is what
item <8> of MS-SPNG Appendix A is trying to explain, but it mentions
this as an extension of SPNEGO, not GSS-API.  Assuming that this is a
general extension that Microsoft has made to their GSS-API
implementation, this would also explain the lack of the
InitialContextToken for NTLMSSP when SPNEGO is used.

Another related point that should probably be documented is that
Windows servers do not seem to accept well-formed GSS
InitialContextTokens containing NTLMSSP.  I have attached a trace of
that, too.  (The server is the same Windows Server 2003 system as in
the other traces.)

Adam Simpkins
simpkins at cisco.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: raw_ntlmssp.pcap
Type: application/cap
Size: 2246 bytes
Desc: not available
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080804/ce55a4b2/raw_ntlmssp.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gss_ntlmssp.pcap
Type: application/cap
Size: 1466 bytes
Desc: not available
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080804/ce55a4b2/gss_ntlmssp.bin

More information about the cifs-protocol mailing list