[OT] Digest authentication session key with ADS

Andrew Bartlett abartlet at samba.org
Thu Feb 19 23:51:52 GMT 2004

On Fri, 2004-02-20 at 10:45, Henrik Nordstrom wrote:
> On Fri, 20 Feb 2004, Andrew Bartlett wrote:
> > What we need to do now is setup IIS (or IAS) to use this mechanism, and
> > see what happens on the wire.  It will all be in schannel, so set a
> > local and domain policy to ensure that 'secure channel' communications
> > are signed, not sealed.
> Any details how this is done? Not familiar with domain policies and I
> guess this little parameter is hidden deep down somewhere not normally
> visible.. but I admit that I have not looked for it yet (no Windows
> stations nearby) so if it is obvious to find I apology.

It's the domain/local/domain controller security polcies.  These are
group policies on win2k.

> Btw, I was not even aware you could make schannel only signed. Very bad
> for security but obviously good for reverse engineering ;-)

Indeed :-)  (The actual session key is still encrypted however - just
not very well)

> Btw, the upcoming Squid-2.5.STABLE5 release finally sends the NEGOTIATE
> NTLMSSP packet to the helper and looks very promising for providing stable
> NTLM over HTTP authentication.

Great news!  This will really help those who's sites require 'NTLM2
session security'.  (NTLMv2 probably worked before, but just by luck...)


Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/5dd50a9c/attachment.bin

More information about the samba-technical mailing list