Kerberos 5 and NTLMv2 without SPNEGO?
Luke Howard
lukeh at padl.com
Wed Jul 2 10:43:20 GMT 2008
On 02/07/2008, at 7:22 PM, Nilesh Lonari wrote:
> No, both Kerberos and NTLMSSP can't be done without SPNEGO support.
>
> Without SPNEGO, we would not be able to negotiate with the server
> which one
> to use between the 2.
The InitialContextToken contains the OID of the GSS-API mechanism
(NTLMSSP excepted, but it also contains a well known header).
> NTLMSSP works without SPNEGO as its the default auth. mechanism used
> by
> Microsoft.
You've contradicted your first statement.
> And only Kerberos also can't work without SPNEGO support.
On what authority state you this?
[MS-SMB] section 5.2 implies that any GSS-API mechanism is supported
(although that should be qualified by stating that the mechanism
should have an exportable session key).
Now, you may be right, the only way to verify this for sure is to test
it.
-- Luke
More information about the samba-technical
mailing list