NTLMSSP auth header

Jeremy Allison jallison at whistle.com
Wed Apr 1 22:40:36 GMT 1998


Luke,

	Looking at the NTLMSSP auth header for your DCE
code, I think I know what the format of this should be,
as I have implemented it for Whistle's IMAP server
(MS outlook express uses this header, encoded in base64
into an ascii stream, to do IMAP authentication).

This is the protocol that Dave Thompson of MS promised
to me over a year ago at the MS PDC in Long Beach would
be documented, of course it never has been :-(.

It is the key to talking authenticated to MS active
directory (LDAP server etc.), as well as their 'secure'
Web administration protocol over HTTP.

The protocol looks like (this is a snapshot from a
Windows 95 - to NT IMAP conversation - as such no
UNICODE is used, the unknown flags fields may
specify if UNICODE is to be used instead). :

--------------------------------------------------------------------

Message 1 - Client to server (hello)

00000000  4e 54 4c 4d 53 53 50 00  01 00 00 00 06 82 00 00 
|NTLMSSP.........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
|................|
00000020  00 00 00 00 30 00 00 00  00 00 00 00 30 00 00 00 
|....0.......0...|
00000030

My guesses as to the meanings are :

Bytes 0 - 7  "NTLMSSP\0"
Bytes 8 - 0xB Message number, little endian format (1)
Bytes 0xC - 0xF - flags of some kind (unknown - specifies ascii ?).
Bytes 0x10 - 0x24 - unknown (must be zero ?)
Bytes 0x24 - 0x27 - length of auth header (little endian format).
Bytes 0x28 - 0x2B - unknown (must be zero ?)
Bytes 0x2C - 0x2F - length of auth header (little endian format).

--------------------------------------------------------------

Message 2 - Server to client (send the challenge)

00000000  4e 54 4c 4d 53 53 50 00  02 00 00 00 09 00 09 00 
|NTLMSSP.........|
00000010  28 00 00 00 06 82 01 00  4b 30 45 10 33 6a dd ca 
|(.......K0E.3j..|
00000020  00 00 00 00 00 00 00 00  46 52 55 49 54 4f 50 49 
|........FRUITOPI|
00000030  41                                                |A|
00000031

Bytes 0 - 7  "NTLMSSP\0"
Bytes 8 - 0xB Message number, little endian format (2)
Bytes 0xC - 0xD - Server Domain name length, little endian format.
Bytes 0xE - 0xF - Server Domain name length, little endian format.
Bytes 0x10 - 0x13 - Offset to domain name, little endian format.
Bytes 0x14 - 0x17 - Flags - unknown (*).
Bytes 0x18 - 0x1F - 8 byte random challenge.
Bytes 0x20 - 0x27 - unknown (must be zero ?).
Bytes 0x28 - end of packet. Server Domain name.

(*) My experiments show that returning 0x8207 in
little endian format in the flags field seems to satisfy
both Win95 and NT, when the names are in ascii.

---------------------------------------------------------------

Message 3 - client response to server challenge.

00000000  4e 54 4c 4d 53 53 50 00  03 00 00 00 18 00 18 00 
|NTLMSSP.........|
00000010  4a 00 00 00 00 00 00 00  62 00 00 00 07 00 07 00 
|J.......b.......|
00000020  34 00 00 00 08 00 08 00  3b 00 00 00 07 00 07 00 
|4.......;.......|
00000030  43 00 00 00 57 48 49 53  54 4c 45 4a 41 4c 4c 49 
|C...WHISTLEJALLI|
00000040  53 4f 4e 53 54 41 42 4c  45 31 XX XX XX XX XX XX 
|SONSTABLE1T.'...|
00000050  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX 
|.v.@|..|....h...|
00000060  XX XX                                             |.-|

Bytes 0 - 7  "NTLMSSP\0"
Bytes 8 - 0xB Message number, little endian format (3)
Bytes 0xC - 0xD - Crypto response length, little endian format (24
bytes).
Bytes 0xE - 0xF - Crypto response length, little endian format (24
bytes).
Bytes 0x10 - 0x13 - Offset to start of 24 byte crypto response, 
                    little endian format.
Bytes 0x14 - 0x17 - unknown (must be zero ?).
Bytes 0x18 - 0x1B - Total length of message, little endian format.
Bytes 0x1C - 0x1D - Client Domain name length, little endian format.
Bytes 0x1E - 0x1F - Client Domain name length, little endian format.
Bytes 0x20 - 0x23 - Offset to client domain name, little endian format.
Bytes 0x24 - 0x25 - Username length, little endian format.
Bytes 0x26 - 0x27 - Username length, little endian format.
Bytes 0x28 - 0x2B - Offset to user name, little endian format.
Bytes 0x2C - 0x2D - Client machinename length, little endian format.
Bytes 0x2E - 0x2F - Client machinename length, little endian format.
Bytes 0x30 - 0x33 - Offset to client machinename, little endian format.
Bytes 0x34 - 0x3A - Ascii client domain name.
Bytes 0x3B - 0x42 - Ascii user name.
Bytes 0x43 - 0x49 - Ascii client machinname.
Bytes 0x4A - 0x62 - 24 byte response to crypto challenge (replaced with
                    'XX's as I don't want to give my password away :-).

------------------------------------------------------------------

What do you think ?

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------


More information about the samba-technical mailing list