Kerberos 5 and NTLMv2 without SPNEGO?
Michael B Allen
ioplex at gmail.com
Wed Jul 2 14:06:12 GMT 2008
On 7/2/08, Luke Howard <lukeh at padl.com> wrote:
> On 02/07/2008, at 7:22 PM, Nilesh Lonari wrote:
>
>
> > No, both Kerberos and NTLMSSP can't be done without SPNEGO support.
> >
> > Without SPNEGO, we would not be able to negotiate with the server which
> one
> > to use between the 2.
<snip>
> [MS-SMB] section 5.2 implies that any GSS-API mechanism is supported
The funny thing about SPNEGO w/ NTLM and Kerberos as mechs that many
people don't realize is that it does not actually negotiate anything.
Consider the two cases:
a) Client sends NTLM but server wan'ts Kerberos: If a Windows client
can't do Kerberos it doesn't send the Keberos OID so it leaves the
server no choices.
b) Client sends Kerberos but server want's NTLM: If the client was
able to acquire a Kerberos service ticket the server has a valid
service account so there should be no reason to reject it.
SPNEGO is basically dead weight.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the samba-technical
mailing list