Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO

Steven French sfrench at us.ibm.com
Wed Oct 9 15:48:00 GMT 2002

In your note below is the Win2K server a member of a domain or standalone
and is it currently able to talk with its Kerberos KDC?   What you describe
would make sense (i.e. for the server to use "raw NTLMSSP" and not use
SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate
(the server would probably not be able to offer Kerberos if it is not part
of a domain or if it could not contact its KDC so why even bother with
SPNEGO in that case).

Very interesting puzzle.

Subject: Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO


I have a trace of a client talking to a Win2K server, where the server
decides to use raw NTLMSSP, but I also have a trace of a Win2K machine
joining a WinXP domain. In the latter case, the WinXP machine decides to
use SPNEGO, not raw NTLMSSP.

The only difference I can see is in the list of protocols offered in the
NegProt. In all the examples I have looked at, it looks like Win2K and
above choose raw NTLMSSP if they are offered only one dialect, NT LM 0.12.
However, if they are offered more than one dialect, they seem to choose
SPNEGO. Guess I will have to check tomorrow.

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at us.ibm.com

More information about the samba-technical mailing list