[OT] Digest authentication session key with ADS

Henrik Nordstrom hno at squid-cache.org
Thu Feb 19 23:45:59 GMT 2004

On Fri, 20 Feb 2004, Andrew Bartlett wrote:

> What we need to do now is setup IIS (or IAS) to use this mechanism, and
> see what happens on the wire.  It will all be in schannel, so set a
> local and domain policy to ensure that 'secure channel' communications
> are signed, not sealed.

Any details how this is done? Not familiar with domain policies and I
guess this little parameter is hidden deep down somewhere not normally
visible.. but I admit that I have not looked for it yet (no Windows
stations nearby) so if it is obvious to find I apology.

Btw, I was not even aware you could make schannel only signed. Very bad
for security but obviously good for reverse engineering ;-)

Btw, the upcoming Squid-2.5.STABLE5 release finally sends the NEGOTIATE
NTLMSSP packet to the helper and looks very promising for providing stable
NTLM over HTTP authentication.


More information about the samba-technical mailing list