Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO

Richard Sharpe rsharpe at ns.aus.com
Wed Oct 9 17:13:00 GMT 2002

On Thu, 10 Oct 2002, Richard Sharpe wrote:

> On Wed, 9 Oct 2002, Steven French wrote:
> > Richard,
> > In your note below is the Win2K server a member of a domain or standalone
> > and is it currently able to talk with its Kerberos KDC?   What you describe
> > would make sense (i.e. for the server to use "raw NTLMSSP" and not use
> > SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate
> > (the server would probably not be able to offer Kerberos if it is not part
> > of a domain or if it could not contact its KDC so why even bother with
> > SPNEGO in that case).
> > 
> > Very interesting puzzle.
> OK, you are right. My guess was wrong.
> Here is another guess. The traces that I have that go directly to NTLMSSP 
> do not have bit-4 in the Flags2 field set, but do have bit-11 (EXT_SEC) 
> while the trace that I have that has bit-11 set, and uses SPNEGO, has 
> bit-4 set.
> This bit is undocumented. I bet it is the bit that says, don't use raw 

OK, not enough bits ... :-(

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com, http://www.richardsharpe.com

More information about the samba-technical mailing list