Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO

Richard Sharpe rsharpe at ns.aus.com
Wed Oct 9 16:58:00 GMT 2002

On Wed, 9 Oct 2002, Steven French wrote:

> Richard,
> In your note below is the Win2K server a member of a domain or standalone
> and is it currently able to talk with its Kerberos KDC?   What you describe
> would make sense (i.e. for the server to use "raw NTLMSSP" and not use
> SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate
> (the server would probably not be able to offer Kerberos if it is not part
> of a domain or if it could not contact its KDC so why even bother with
> SPNEGO in that case).
> Very interesting puzzle.

OK, you are right. My guess was wrong.

Here is another guess. The traces that I have that go directly to NTLMSSP 
do not have bit-4 in the Flags2 field set, but do have bit-11 (EXT_SEC) 
while the trace that I have that has bit-11 set, and uses SPNEGO, has 
bit-4 set.

This bit is undocumented. I bet it is the bit that says, don't use raw 

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com, http://www.richardsharpe.com

More information about the samba-technical mailing list