Kerberos 5 and NTLMv2 without SPNEGO?

Michael B Allen ioplex at
Wed Jul 2 14:06:12 GMT 2008

On 7/2/08, Luke Howard <lukeh at> wrote:
> On 02/07/2008, at 7:22 PM, Nilesh Lonari wrote:
> > No, both Kerberos and NTLMSSP can't be done without SPNEGO support.
> >
> > Without SPNEGO, we would not be able to negotiate with the server which
> one
> > to use between the 2.
>  [MS-SMB] section 5.2 implies that any GSS-API mechanism is supported

The funny thing about SPNEGO w/ NTLM and Kerberos as mechs that many
people don't realize is that it does not actually negotiate anything.

Consider the two cases:

a) Client sends NTLM but server wan'ts Kerberos: If a Windows client
can't do Kerberos it doesn't send the Keberos OID so it leaves the
server no choices.

b) Client sends Kerberos but server want's NTLM: If the client was
able to acquire a Kerberos service ticket the server has a valid
service account so there should be no reason to reject it.

SPNEGO is basically dead weight.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list