Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO
Richard Sharpe
rsharpe at ns.aus.com
Wed Oct 9 16:58:00 GMT 2002
On Wed, 9 Oct 2002, Steven French wrote:
> Richard,
> In your note below is the Win2K server a member of a domain or standalone
> and is it currently able to talk with its Kerberos KDC? What you describe
> would make sense (i.e. for the server to use "raw NTLMSSP" and not use
> SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate
> (the server would probably not be able to offer Kerberos if it is not part
> of a domain or if it could not contact its KDC so why even bother with
> SPNEGO in that case).
>
> Very interesting puzzle.
OK, you are right. My guess was wrong.
Here is another guess. The traces that I have that go directly to NTLMSSP
do not have bit-4 in the Flags2 field set, but do have bit-11 (EXT_SEC)
while the trace that I have that has bit-11 set, and uses SPNEGO, has
bit-4 set.
This bit is undocumented. I bet it is the bit that says, don't use raw
NTLMSSP :-)
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com, http://www.richardsharpe.com
More information about the samba-technical
mailing list