[cifs-protocol] RE: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053

Bill Wesse billwe at microsoft.com
Tue Aug 5 10:54:02 GMT 2008

Thanks you again!

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Adam Simpkins [mailto:simpkins at cisco.com]
Sent: Monday, August 04, 2008 7:23 PM
To: Bill Wesse
Cc: 'cifs-protocol at samba.org'
Subject: Re: Status: raw NTLMSSP tokens in GSS-API/SPNEGO? SRX080803600053

On Mon, Aug 04, 2008 at 01:48:37PM -0700, Adam Simpkins wrote:
> On Mon, Aug 04, 2008 at 04:17:29AM -0700, Bill Wesse wrote:
> > Good morning once again. You noted in your question that you can
> > provide a network trace of the NTLM behavior you reported. I would
> > deeply appreciate it if you would send one to me. Could you also
> > note the OS versions of the client and server (just in case, even
> > though the NtlmsspAuthenticaeMessage may contain a Version
> > structure.

Here's another trace of a Windows XP SP3 client sending raw NTLMSSP (no SPNEGO) to a server.  This server is just a proxy in front of a Windows Server 2003 machine, but I configured it to strip off the securit blob from the server's NEGOTIATE response before sending it to the client.  This causes the client to send raw NTLMSSP instead of SPNEGO.

Based on the documentation in MS-SMB 2.2.4 and MS-SMB, I would expect the client to send a GSS authentication token here (i.e., an InitialContextToken).  However, in this case the client sends raw NTLMSSP data.

A resonable explanation for this would be that Microsoft's GSS-API implementation accepts raw NTLMSSP data for the first token, in addition to normal GSS InitialContextTokens.  I think this is what item <8> of MS-SPNG Appendix A is trying to explain, but it mentions this as an extension of SPNEGO, not GSS-API.  Assuming that this is a general extension that Microsoft has made to their GSS-API implementation, this would also explain the lack of the InitialContextToken for NTLMSSP when SPNEGO is used.

Another related point that should probably be documented is that Windows servers do not seem to accept well-formed GSS InitialContextTokens containing NTLMSSP.  I have attached a trace of that, too.  (The server is the same Windows Server 2003 system as in the other traces.)

Adam Simpkins
simpkins at cisco.com

More information about the cifs-protocol mailing list