[security-dev 01604]: Re: Request for comment: spec: NTLM as a SASL mech

Natalie Li Natalie.Li at Sun.COM
Thu Feb 4 09:03:45 PST 2010


Natalie Li wrote:
>>  Security Blob: 605506062B0601050502A04B3049A00E300C060A2B060104...
>>             GSS-API Generic Security Service Application Program 
>> Interface
>>                 OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected 
>> Negotiation)
>>                 SPNEGO
>>                     negTokenInit
>>                         mechTypes: 1 item
>>                             Item: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - 
>> Microsoft NTLM Security Support Provider)
>>                         mechToken: 
>> 4E544C4D535350000100000097B208E2060006002F000000...
>>                         NTLMSSP
>>                             NTLMSSP identifier: NTLMSSP
>>                             NTLM Message Type: NTLMSSP_NEGOTIATE 
>> (0x00000001)
>>                             Flags: 0xe208b297
>>                             Calling workstation domain: NLW2K8
>>                             Calling workstation name: PHANTOM
>
> In CIFS, Windows clients typically send raw NTLMSSP messages in non AD 
> environment while domain clients send NTLMSSP w/ SPNEGO.  I don't 
> really know whether my observation apply here when NTLM is used as a 
> SASL mech.
>
> Natalie
>
Sorry it was late at night and I didn't say it right as my brain was 
half-asleep.
Typically, if authenticating against a standalone Windows server, raw 
NTLMSSP has been observed to be used by Windows clients.
If authenticating against a Windows domain member server (say in domain 
A), assuming your client is either in a different domain which is not 
trusted by domain A or in workgroup mode, NTLMSSP w/ SPNEGO is used.
Again, I'm describing how NTLM auth is used in file sharing context.

Regards,

Natalie

> Max (Weijun) Wang wrote:
>> How are these 2 forms used (by MS and others)? I've never seen an 
>> NTLM token embedded inside the SPNEGO initial context token.
>>
>> Thanks
>> Max
>>




More information about the security-dev mailing list