Hint on how Win2K etc choose raw NTLMSSP vs SPNEGO
Richard Sharpe
rsharpe at ns.aus.com
Wed Oct 9 17:13:00 GMT 2002
On Thu, 10 Oct 2002, Richard Sharpe wrote:
> On Wed, 9 Oct 2002, Steven French wrote:
>
> > Richard,
> > In your note below is the Win2K server a member of a domain or standalone
> > and is it currently able to talk with its Kerberos KDC? What you describe
> > would make sense (i.e. for the server to use "raw NTLMSSP" and not use
> > SPNEGO) if there were no Kerberos vs. NTLMSSP security choice to negotiate
> > (the server would probably not be able to offer Kerberos if it is not part
> > of a domain or if it could not contact its KDC so why even bother with
> > SPNEGO in that case).
> >
> > Very interesting puzzle.
>
> OK, you are right. My guess was wrong.
>
> Here is another guess. The traces that I have that go directly to NTLMSSP
> do not have bit-4 in the Flags2 field set, but do have bit-11 (EXT_SEC)
> while the trace that I have that has bit-11 set, and uses SPNEGO, has
> bit-4 set.
>
> This bit is undocumented. I bet it is the bit that says, don't use raw
> NTLMSSP :-)
OK, not enough bits ... :-(
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com, http://www.richardsharpe.com
More information about the samba-technical
mailing list