MS's implementation of SPNEGO ...

Richard Sharpe rsharpe at
Wed Oct 9 03:42:01 GMT 2002


According to RFC2478, a negTokenInit consists of:

NegTokenInit ::= SEQUENCE {

                            mechTypes       [0] MechTypeList  OPTIONAL,
                            reqFlags        [1] ContextFlags  OPTIONAL,
                            mechToken       [2] OCTET STRING  OPTIONAL,
                            mechListMIC     [3] OCTET STRING  OPTIONAL

ContextFlags ::= BIT STRING {

        delegFlag       (0),
        mutualFlag      (1),
        replayFlag      (2),
        sequenceFlag    (3),
        anonFlag        (4),
        confFlag        (5),
        integFlag       (6)



The mechListMIC is an optional field. In the case that the chosen 
mechanism supports integrity, the initiator may optionally include a 
mechListMIC which is the result of a GetMIC of the MechTypes in the 
initial NegTokenInit and return GSS_S_COMPLETE. 

That is, the mechListMic should be a Message Integrity Code, not an 
indicator of the default mechType it would like negotiated.

Richard Sharpe, rsharpe at, rsharpe at, 
sharpe at,

More information about the samba-technical mailing list