[cifs-protocol] RE: (More): Status: SRX080803600053: [MS-NLMP] raw NTLMSSP tokens in GSS-API/SPNEGO

Bill Wesse billwe at microsoft.com
Wed Oct 8 14:55:52 GMT 2008 

My pleasure!

Here is copy of tentative text changes to the [MS-SPNG] document (these are waiting for internal approval - I will advise you as soon as the text is finalized):

==============================================================================
OID 1.2.840.113554.1.2.2 is ALWAYS included in the mechToken/responseToken.
------------------------------------------------------------------------------

Original text:

<5> Section 3.1.5.2:  Windows versions offer and accept two distinct OIDs as
    identifiers for the Kerberos authentication mechanism. The SPNEGO
    extensions consider both OIDs as equivalent and make no distinction
    between them.

    Windows 2000 incorrectly encoded the OID for the Kerberos protocol. Rather
    than the OID { iso(1) member-body(2) United States(840) mit(113554)
    infosys(1) gssapi(2) krb5(2) }, an implementation error truncated the
    values at 16 bits. Therefore, the OID became { iso(1) member-body(2)
    United States(840) ???(48018) infosys(1) gssapi(2) krb5 (2) }. 48018 is
    not a known member under that OID branch; this is an error.

    Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
    do not truncate the value, and they correctly offer and receive
    1.2.840.113554.1.2.2. For compatibility reasons, the erroneous value
    (1.2.840.48018.1.2.2) is still offered and accepted by systems that run
    Windows 2000. The presence of this value can be used to determine that the
    peer is a Windows 2000 implementation.

New text:

<5> Section 3.1.5.2:  Windows versions offer and accept two distinct OIDs as
    identifiers for the Kerberos authentication mechanism. The SPNEGO
    extensions consider both OIDs as equivalent and make no distinction
    between them.

    Windows 2000 incorrectly encoded the OID for the Kerberos protocol. Rather
    than the OID { iso(1) member-body(2) United States(840) mit(113554)
    infosys(1) gssapi(2) krb5(2) }, an implementation error truncated the
    values at 16 bits. Therefore, the OID became { iso(1) member-body(2)
    United States(840) ???(48018) infosys(1) gssapi(2) krb5 (2) }. 48018 is
    not a known member under that OID branch; this is an error. The singular
    presence of this incorrect OID (1.2.840.48018.1.2.2) can be used to
    determine that the peer is a Windows 2000 implementation.

    Windows XP and later do not truncate the OID, and they correctly offer
    and receive 1.2.840.113554.1.2.2. For compatibility reasons, on Windows XP
    and later, the erroneous value (1.2.840.48018.1.2.2) is sent in addition
    to the correct value (1.2.840.113554.1.2.2) Both values are considered
    equivalent and Windows makes no distinction between the two.

    The mechToken and responseToken always contain the standard OID
    (1.2.840.113554.1.2.2) within the thisMech field, even when the
    supportedMech chosen by SPNEGO is (1.2.840.48018.1.2.2). Windows Kerberos
    servers do not accept the "truncated" OID in the thisMech field.

Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted


-----Original Message-----
From: Adam Simpkins [mailto:simpkins at cisco.com]
Sent: Friday, October 03, 2008 10:08 PM
To: Bill Wesse
Cc: 'cifs-protocol at samba.org'
Subject: Re: (More): Status: SRX080803600053: [MS-NLMP] raw NTLMSSP tokens in GSS-API/SPNEGO

On Fri, Oct 03, 2008 at 07:18:05AM -0700, Bill Wesse wrote:
> Good morning again! Our documentation development team advises me the following change will be implemented in a future posting of [MS-SMB]:
>
> [MS-SMB]: Server Message Block (SMB) Protocol Specification
> Section 3.2.4.2.3 User Authentication (Extended Security subtopic)
>
> Current Text:
>
> In either case, it initializes the GSS authentication protocol with the MutualAuth and Delegate options, which are specified in [MS-KILE] section 3.2.1.1.<173>
>
> Request to update with:
>
> In either case, it initializes the GSS authentication protocol with the MutualAuth and Delegate options, which are specified in [MS-KILE] section 3.2.1.1.<173> See also [MS-SPNG] section 3.2.5.2.

Okay.  Thanks for the update.

--
Adam Simpkins
simpkins at cisco.com

More information about the cifs-protocol mailing list