"Session Key" in NTLMSSP auth frame.

Richard Sharpe rsharpe at ns.aus.com
Tue Sep 3 15:56:01 GMT 2002

On Tue, 3 Sep 2002, Jim McDonough wrote:

> >OK, I think that the code in cliconnect that tries to do ntlmssp is wrong
> >when it comes to the AUTH response. There is no session key sent. That is,
> >the session key is empty in the auth, and there should not be one in the
> >negotiate.
> >
> >If you look in sesssetup.c you will notice that the session key is
> >discarded after the token blob is parsed as well.
> >
> >So, get rid of the key in the negotiate, and send a NULL key in the AUTH,
> >and you should be right!
> Nope, not right.  At least, that's not what windows machines do.  Also,
> check out the doc:
> http://www.opengroup.org/onlinepubs/009899899/toc.htm
> and look in Chapter 11 for at least some of the NTLMSSP info.  The
> Sessionkey is sent in the auth command.

Well, I read that stuff, and I have a trace, and there is no session key 
in the trace, and chapter 11 implies that the session key is computed 
alike by each side.

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list