[OT] Digest authentication session key with ADS
Andrew Bartlett
abartlet at samba.org
Thu Feb 19 23:51:52 GMT 2004
On Fri, 2004-02-20 at 10:45, Henrik Nordstrom wrote:
> On Fri, 20 Feb 2004, Andrew Bartlett wrote:
>
> > What we need to do now is setup IIS (or IAS) to use this mechanism, and
> > see what happens on the wire. It will all be in schannel, so set a
> > local and domain policy to ensure that 'secure channel' communications
> > are signed, not sealed.
>
> Any details how this is done? Not familiar with domain policies and I
> guess this little parameter is hidden deep down somewhere not normally
> visible.. but I admit that I have not looked for it yet (no Windows
> stations nearby) so if it is obvious to find I apology.
It's the domain/local/domain controller security polcies. These are
group policies on win2k.
> Btw, I was not even aware you could make schannel only signed. Very bad
> for security but obviously good for reverse engineering ;-)
Indeed :-) (The actual session key is still encrypted however - just
not very well)
> Btw, the upcoming Squid-2.5.STABLE5 release finally sends the NEGOTIATE
> NTLMSSP packet to the helper and looks very promising for providing stable
> NTLM over HTTP authentication.
Great news! This will really help those who's sites require 'NTLM2
session security'. (NTLMv2 probably worked before, but just by luck...)
Thanks,
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/5dd50a9c/attachment.bin
More information about the samba-technical
mailing list