NTLMSSP auth header
Jeremy Allison
jallison at whistle.com
Wed Apr 1 22:40:36 GMT 1998
Luke,
Looking at the NTLMSSP auth header for your DCE
code, I think I know what the format of this should be,
as I have implemented it for Whistle's IMAP server
(MS outlook express uses this header, encoded in base64
into an ascii stream, to do IMAP authentication).
This is the protocol that Dave Thompson of MS promised
to me over a year ago at the MS PDC in Long Beach would
be documented, of course it never has been :-(.
It is the key to talking authenticated to MS active
directory (LDAP server etc.), as well as their 'secure'
Web administration protocol over HTTP.
The protocol looks like (this is a snapshot from a
Windows 95 - to NT IMAP conversation - as such no
UNICODE is used, the unknown flags fields may
specify if UNICODE is to be used instead). :
--------------------------------------------------------------------
Message 1 - Client to server (hello)
00000000 4e 54 4c 4d 53 53 50 00 01 00 00 00 06 82 00 00
|NTLMSSP.........|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|................|
00000020 00 00 00 00 30 00 00 00 00 00 00 00 30 00 00 00
|....0.......0...|
00000030
My guesses as to the meanings are :
Bytes 0 - 7 "NTLMSSP\0"
Bytes 8 - 0xB Message number, little endian format (1)
Bytes 0xC - 0xF - flags of some kind (unknown - specifies ascii ?).
Bytes 0x10 - 0x24 - unknown (must be zero ?)
Bytes 0x24 - 0x27 - length of auth header (little endian format).
Bytes 0x28 - 0x2B - unknown (must be zero ?)
Bytes 0x2C - 0x2F - length of auth header (little endian format).
--------------------------------------------------------------
Message 2 - Server to client (send the challenge)
00000000 4e 54 4c 4d 53 53 50 00 02 00 00 00 09 00 09 00
|NTLMSSP.........|
00000010 28 00 00 00 06 82 01 00 4b 30 45 10 33 6a dd ca
|(.......K0E.3j..|
00000020 00 00 00 00 00 00 00 00 46 52 55 49 54 4f 50 49
|........FRUITOPI|
00000030 41 |A|
00000031
Bytes 0 - 7 "NTLMSSP\0"
Bytes 8 - 0xB Message number, little endian format (2)
Bytes 0xC - 0xD - Server Domain name length, little endian format.
Bytes 0xE - 0xF - Server Domain name length, little endian format.
Bytes 0x10 - 0x13 - Offset to domain name, little endian format.
Bytes 0x14 - 0x17 - Flags - unknown (*).
Bytes 0x18 - 0x1F - 8 byte random challenge.
Bytes 0x20 - 0x27 - unknown (must be zero ?).
Bytes 0x28 - end of packet. Server Domain name.
(*) My experiments show that returning 0x8207 in
little endian format in the flags field seems to satisfy
both Win95 and NT, when the names are in ascii.
---------------------------------------------------------------
Message 3 - client response to server challenge.
00000000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00
|NTLMSSP.........|
00000010 4a 00 00 00 00 00 00 00 62 00 00 00 07 00 07 00
|J.......b.......|
00000020 34 00 00 00 08 00 08 00 3b 00 00 00 07 00 07 00
|4.......;.......|
00000030 43 00 00 00 57 48 49 53 54 4c 45 4a 41 4c 4c 49
|C...WHISTLEJALLI|
00000040 53 4f 4e 53 54 41 42 4c 45 31 XX XX XX XX XX XX
|SONSTABLE1T.'...|
00000050 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
|.v.@|..|....h...|
00000060 XX XX |.-|
Bytes 0 - 7 "NTLMSSP\0"
Bytes 8 - 0xB Message number, little endian format (3)
Bytes 0xC - 0xD - Crypto response length, little endian format (24
bytes).
Bytes 0xE - 0xF - Crypto response length, little endian format (24
bytes).
Bytes 0x10 - 0x13 - Offset to start of 24 byte crypto response,
little endian format.
Bytes 0x14 - 0x17 - unknown (must be zero ?).
Bytes 0x18 - 0x1B - Total length of message, little endian format.
Bytes 0x1C - 0x1D - Client Domain name length, little endian format.
Bytes 0x1E - 0x1F - Client Domain name length, little endian format.
Bytes 0x20 - 0x23 - Offset to client domain name, little endian format.
Bytes 0x24 - 0x25 - Username length, little endian format.
Bytes 0x26 - 0x27 - Username length, little endian format.
Bytes 0x28 - 0x2B - Offset to user name, little endian format.
Bytes 0x2C - 0x2D - Client machinename length, little endian format.
Bytes 0x2E - 0x2F - Client machinename length, little endian format.
Bytes 0x30 - 0x33 - Offset to client machinename, little endian format.
Bytes 0x34 - 0x3A - Ascii client domain name.
Bytes 0x3B - 0x42 - Ascii user name.
Bytes 0x43 - 0x49 - Ascii client machinname.
Bytes 0x4A - 0x62 - 24 byte response to crypto challenge (replaced with
'XX's as I don't want to give my password away :-).
------------------------------------------------------------------
What do you think ?
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list