Funny security blob in sesssetup&X.

[Steven French]

Jim convinced me that my theory was wrong - the mystery blob is a
negTokenInit - there are two negTokenInits in the overall flow then (one in
the negprot response and one in the first sesssetup request).   I hate it
when this stuff finally makes sense

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at us.ibm.com
---------------------- Forwarded by Steven French/Austin/IBM on 08/28/2002
10:45 AM ---------------------------

Steven French
08/28/2002 10:15 AM

To:    samba-technical at samba.org
cc:
From:  Steven French/Austin/IBM at IBMUS
Subject:    Funny security blob in sesssetup&X.


It looks like a negTokenTarg to me.  Note that the NTLMSSP format is mostly
described in chapter 11 of the ActiveX reference book, now online on the
OpenGroup site at
http://www.opengroup.org/onlinepubs/009899899/NCH1222X.HTM (the rest of the
book covers ActiveX and MS DCE/RPC and is at
http://www.opengroup.org/onlinepubs/009899899/toc.htm).  I wish I had seen
that document years ago it would have saved us some time.  I had been
putting off getting a copy for a long time.

For the SPNEGO formatting it seems that the negTokenInit and negTokenTarg
are distinguished by context (the negTokenInit coming first) but the [0]
and [2] in the dumpasn output probably refer to the field numberings in the
RFC, specifically "supportedMech" and "responseToken" respectively even
though based on RFC2478 you would expect the targ to include [0] as
negResult not just the optional fields [1] as supportedMech and [2] as
responseToken

From: Richard Sharpe <rsharpe at ns.aus.com>
To: <samba-technical at samba.org>

>Here is the content of the security blob in a sessionsetup&X from a Win2K
box.
>
>It looks wrong because it seems to be a negTokenInit, not the
>negTokenTarg I would expect.
>
>Can anyone comment?

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at us.ibm.com