Question on NTLMv2 over SMB

Yimin Chen (ymchen) ymchen at cisco.com
Fri Sep 2 21:17:19 GMT 2005


Hi Andrew,

I am having problem authenticating with domain controller even after my
proxy sends back the correct target information about the domain
controller. I have some questions that I would like to clarify to make
sure I am doing the right thing and have the correct understanding of
NTLMv2 algorithm.

First of all, here is my setup:

IE configured to use my proxy
Proxy has NTLM authentication and will send 407 back to client for
authentication
IE performs the NTLM handshakes with proxy, and proxy obtains the
challenage and NetBIOS names over SMB from domain controller, and send
information over in type-2 message.
IE sends LMv2 and NTLMv2 responses, and proxy sends NTLMv2 or LMv2
response in the CaseInsensitivePassword field (ASCII pasword field) over
SMB to domain controller
Proxy OEM flag is set, unicode flag not set in type-2 message

Now my questions:

1) As long as I typied the username, password, and domain correctly in
the browser pop-up, the only thing that could cause a incorrect LMv2
response is the NetBIOS name of the domain that is used in v2hash,
right? 

2) The NetBIOS name of the domain used in v2hash is obtained from the
target information, right? Or obtained from the Primary Domain field in
the SMB Negotiate Protocol Response, which is the upper case of what I
typied in pop-up window? I compared my target information against what
the domain controller sends back in the case of IE requesting a
NTLM-protected object off that domain controller, and they are the same.
I used the same username, password, domain for the NTLM-protected object
case, and it is working fine.

3) So what else can be wrong in the LMv2 response?  
4) Does the username passed over SMB have to be in unicode, even if
flag2 indicates unicode not supported?


Thanks!

Yimin
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org] 
> Sent: Monday, June 27, 2005 9:08 PM
> To: Yimin Chen (ymchen)
> Cc: samba-technical at lists.samba.org
> Subject: Re: Question on NTLMv2 over SMB
> 
> On Mon, 2005-06-27 at 21:02 -0700, Yimin Chen wrote:
> > Hi Andrew,
> > 
> > Thanks for your response. What I was testing was pass-through 
> > authentication, so my program is acting as proxy and 
> handing the LMv2 
> > response from browser to the domain controller. My program is not 
> > encoding the LMv2 response.
> 
> Check you are not messing up the username and domain, which 
> are part of the response. 
> 
> > Client browser actually sent both LMv2 and NTLMv2 response, I just 
> > handed over the LMv2 response in the CaseInsensitivePassword field, 
> > while leaving the CaseSensitivePassword empty. Is this the 
> right way 
> > to do it, if I just wanted to see whether the DC will honor 
> the LMv2 response?
> 
> That sounds right.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                
> http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net
> 


More information about the samba-technical mailing list