[security-dev 01604]: Re: Request for comment: spec: NTLM as a SASL mech
Natalie Li
Natalie.Li at Sun.COM
Thu Feb 4 17:03:45 UTC 2010
Natalie Li wrote:
>> Security Blob: 605506062B0601050502A04B3049A00E300C060A2B060104...
>> GSS-API Generic Security Service Application Program
>> Interface
>> OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected
>> Negotiation)
>> SPNEGO
>> negTokenInit
>> mechTypes: 1 item
>> Item: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP -
>> Microsoft NTLM Security Support Provider)
>> mechToken:
>> 4E544C4D535350000100000097B208E2060006002F000000...
>> NTLMSSP
>> NTLMSSP identifier: NTLMSSP
>> NTLM Message Type: NTLMSSP_NEGOTIATE
>> (0x00000001)
>> Flags: 0xe208b297
>> Calling workstation domain: NLW2K8
>> Calling workstation name: PHANTOM
>
> In CIFS, Windows clients typically send raw NTLMSSP messages in non AD
> environment while domain clients send NTLMSSP w/ SPNEGO. I don't
> really know whether my observation apply here when NTLM is used as a
> SASL mech.
>
> Natalie
>
Sorry it was late at night and I didn't say it right as my brain was
half-asleep.
Typically, if authenticating against a standalone Windows server, raw
NTLMSSP has been observed to be used by Windows clients.
If authenticating against a Windows domain member server (say in domain
A), assuming your client is either in a different domain which is not
trusted by domain A or in workgroup mode, NTLMSSP w/ SPNEGO is used.
Again, I'm describing how NTLM auth is used in file sharing context.
Regards,
Natalie
> Max (Weijun) Wang wrote:
>> How are these 2 forms used (by MS and others)? I've never seen an
>> NTLM token embedded inside the SPNEGO initial context token.
>>
>> Thanks
>> Max
>>
More information about the security-dev
mailing list