[cifs-protocol] [REG: 111070650721347] Behavior of AllowNT4Crypto

Edgar Olougouna edgaro at microsoft.com
Mon Jul 11 15:27:01 MDT 2011


The AllowNT4Crypto parameter controls whether NT4 crypto, i.e. DES algorithm, is allowed. The default value is false.
The RequireStrongKey (NegotiateFlags Bit O - Supports strong keys) was introduced in Windows 2000 and enables the computation of a 128 session key (so-called strong key) by using MD5. The strong key usually refers to the combination of MD5 and RC4.
AES/SHA2 support is introduced in Windows 2008 R2, and is labeled by the NegotiateFlags  Bit W, as documented in MS-NRPC
When set to true, the AllowNT4Crypto allows session negotiation which does not have the STRONG_KEY bit set (NegotiateFlags Bit O). If AllowNT4Crypto is false and STRONG_KEY bit is not set, the server fails the session-key negotiation and returns STATUS_DOWNGRADE_DETECTED.
Note that the use of AllowNT4Crypto might have issue with some implementation that went directly to AES without going through RC4. There is an additional RejectMD5Clients registry key (ref. MS-NRPC 3.5.1, and, Windows 7 / 2008 R2), which will not allow even RC4/MD5 based negotiation to occur, and restricts it only to AES/SHA cryptosystem.
The product team will be reflecting this description in the MS-NRPC document.
Related KB: http://support.microsoft.com/kb/942564


-----Original Message-----
From: Edgar Olougouna 
Sent: Wednesday, July 06, 2011 4:41 PM
To: Stefan (metze) Metzmacher; pfif at tridgell.net; cifs-protocol at samba.org
Subject: [REG: 111070650721347] Behavior of AllowNT4Crypto

[Adding case number]


I am taking care of this. I have opened a document issue on MS-NRPC. I will follow-up as soon as I have news.


-----Original Message-----
From: Josh Curry 
Sent: Tuesday, July 05, 2011 10:21 AM
To: Stefan (metze) Metzmacher; Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Behavior of AllowNT4Crypto

Hi Stefan, thank you for your question. A member of the protocol documentation team will be in touch with you soon.

Josh Curry
Escalation Engineer

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at allisong at microsoft.com.

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Tuesday, July 05, 2011 2:04 AM
To: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Behavior of AllowNT4Crypto


can you please document the behavior that is triggered by the following parameter.



I can't find this in MS-NRPC.

Is there any interaction with the RequireStrongKey parameter?


More information about the cifs-protocol mailing list