[cifs-protocol] RE: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053

Bill Wesse billwe at microsoft.com
Tue Aug 5 10:53:41 GMT 2008

Thank you sir! I will begin my investigation this morning!

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Adam Simpkins [mailto:simpkins at cisco.com]
Sent: Monday, August 04, 2008 4:49 PM
To: Bill Wesse
Cc: 'cifs-protocol at samba.org'
Subject: Re: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053

On Mon, Aug 04, 2008 at 04:17:29AM -0700, Bill Wesse wrote:
> Good morning once again. You noted in your question that you can
> provide a network trace of the NTLM behavior you reported. I would
> deeply appreciate it if you would send one to me. Could you also note
> the OS versions of the client and server (just in case, even though
> the NtlmsspAuthenticaeMessage may contain a Version structure.

Please find a trace attached.  This was taken between a client running Windows XP SP3 and a server running Windows Server 2003 SP2 (Enterprise Edition).

Frame 6 contains the initial SESSION_SETUP_ANDX request.  This contains a GSS-API InitialContextToken that uses SPNEGO.  The mechToken inside the SPNEGO NegTokenInit contains just raw NTLMSSP data.  According to RFC 4178 section 3.2 item (c), this should be a GSS InitialContextToken.

I have also included a trace of the same client and server, but using Kerberos over SPNEGO.  In this trace, the mechToken is a GSS InitialContextToken.

Adam Simpkins
simpkins at cisco.com

More information about the cifs-protocol mailing list