[OT] Digest authentication session key with ADS

Andrew Bartlett abartlet at samba.org
Thu Feb 19 23:51:52 GMT 2004


On Fri, 2004-02-20 at 10:45, Henrik Nordstrom wrote:
> On Fri, 20 Feb 2004, Andrew Bartlett wrote:
> 
> > What we need to do now is setup IIS (or IAS) to use this mechanism, and
> > see what happens on the wire.  It will all be in schannel, so set a
> > local and domain policy to ensure that 'secure channel' communications
> > are signed, not sealed.
> 
> Any details how this is done? Not familiar with domain policies and I
> guess this little parameter is hidden deep down somewhere not normally
> visible.. but I admit that I have not looked for it yet (no Windows
> stations nearby) so if it is obvious to find I apology.

It's the domain/local/domain controller security polcies.  These are
group policies on win2k.

> Btw, I was not even aware you could make schannel only signed. Very bad
> for security but obviously good for reverse engineering ;-)

Indeed :-)  (The actual session key is still encrypted however - just
not very well)

> Btw, the upcoming Squid-2.5.STABLE5 release finally sends the NEGOTIATE
> NTLMSSP packet to the helper and looks very promising for providing stable
> NTLM over HTTP authentication.

Great news!  This will really help those who's sites require 'NTLM2
session security'.  (NTLMv2 probably worked before, but just by luck...)

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/5dd50a9c/attachment.bin


More information about the samba-technical mailing list