Kerberos 5 and NTLMv2 without SPNEGO?

Luke Howard lukeh at
Wed Jul 2 10:43:20 GMT 2008

On 02/07/2008, at 7:22 PM, Nilesh Lonari wrote:

> No, both Kerberos and NTLMSSP can't be done without SPNEGO support.
> Without SPNEGO, we would not be able to negotiate with the server  
> which one
> to use between the 2.

The InitialContextToken contains the OID of the GSS-API mechanism  
(NTLMSSP excepted, but it also contains a well known header).

> NTLMSSP works without SPNEGO as its the default auth. mechanism used  
> by
> Microsoft.

You've contradicted your first statement.

> And only Kerberos also can't work without SPNEGO support.

On what authority state you this?

[MS-SMB] section 5.2 implies that any GSS-API mechanism is supported  
(although that should be qualified by stating that the mechanism  
should have an exportable session key).

Now, you may be right, the only way to verify this for sure is to test  

-- Luke

More information about the samba-technical mailing list