[cifs-protocol] 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN not
rguthrie at microsoft.com
Fri Jul 25 18:43:36 GMT 2008
I will be working to resolve your issue. Would it be possible to have you capture and send us a network trace that captures the behavior you are seeing?
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 24, 2008 10:36 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: DCE/RPC PFC_SUPPORT_HEADER_SIGN not optional
MS-RPCE 126.96.36.199.2.2 implies that the PFC_SUPPORT_HEADER_SIGN bit in the RPC bind messages negotiates optional support for header signing.
however, this is not the case - the client (Vista SP1 in this case) will sign the RPC headers if the target security mechanism supports it.
(ie, original style NTLM has unsigned headers, NTLM2 session security signs them, GSSAPI does not, unless using AES per MS-KILE 188.8.131.52.1)
Therefore the documentation for this extension should be rewritten to indicate that this is an informative bit, not a negotiated flag.
(And while painful to me, if this were to be a real negotiation, the attacker this feature is expected to disrupt would be able to simply turn it off).
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol