none
NTLM: IntegrityLevel in Restriction_Encoding (AV_PAIR) set to '1'

    Question

  • Does anyone know what would cause the IntegrityLevel in the Restriction_Encoding structure within an AV_PAIR structure to be set to '1'?

    I am working on an NTLM authentication problem where on one Windows 7 PC the IntegrityLevel seems to be set to '1', where on another Windows 7 PC IntegrityLevel is set to '0', and I don't understand why or how this attribute is set. NTLM authentication is not working on the PC where IntegrityLevel is set to '1' and I'm trying to figure out if this might be the cause.

    AV_PAIR is documented at http://msdn.microsoft.com/en-us/library/cc207867(PROT.10).aspx.

    Restriction_Encoding is documented at http://msdn.microsoft.com/en-us/library/cc207868(v=prot.10).aspx.

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa370274(v=vs.85).aspx indicates that 'SE_GROUP_INTEGRITY_ENABLED' controls if a group is enabled for integrity level.

    I am however unable to find any documentation on how the Integrity Level attribute is set to 0 or 1, or what these values mean.

    Any suggestions are welcome,

    Andreas


    Friday, July 13, 2012 11:50 AM

Answers

All replies

  • Hi Andreas, thank you for your question. A member of the protocol documentation team will respond to you soon.

    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Friday, July 13, 2012 2:17 PM
    Owner
  • Hi Andreas

    Thank you for contacting Microsoft. I am researching this for you and will contact you in case of any further clarification or update.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Friday, July 13, 2012 11:51 PM
  • Hi Tarun,

    have you managed to find any information on this?

    Thanks!

    Andreas

    Tuesday, July 17, 2012 10:48 AM
  • Hi Andreas

    Regarding your question “what these values mean” – Per MS-NLMP specification, http://msdn.microsoft.com/en-us/library/cc236647(v=PROT.10).aspx, IntegrityLevel field indicates the presence of SubjectIntegrityLevel field. If IntegrityLevel is set, i.e. 1 , recipient SHOULD apply the integrity level otherwise NOT. Hence the specification is clear in describing the IntegrityLevel. Windows behavior note <18>, elaborates on the use of the word SHOULD : (http://msdn.microsoft.com/en-us/library/cc236722(v=prot.10).aspx) ,  Restriction_Encoding structure is not used by Windows and shouldn’t have any effect on validation.

    Regarding your question “how the Integrity Level attribute is set to 0 or 1” – This is out of our support boundary as we support only Open Specifications documentation and would request you to post your query here : http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

    Please let me know if the above information helps.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, July 17, 2012 5:59 PM
  • Hi Andreas_W,

    I'm researching the same, I think I have found what the values are for the integrity level:

    http://msdn.microsoft.com/en-us/library/bb625963.aspx

    Table 2   Defined integrity levels and corresponding values

    Value Description Symbol

    0x0000

    Untrusted level

    SECURITY_MANDATORY_UNTRUSTED_RID

    0x1000

    Low integrity level

    SECURITY_MANDATORY_LOW_RID

    0x2000

    Medium integrity level

    SECURITY_MANDATORY_MEDIUM_RID

    0x3000

    High integrity level

    SECURITY_MANDATORY_HIGH_RID

    0x4000

    System integrity level

    SECURITY_MANDATORY_SYSTEM_RID

    An example of a medium integrity level SID is this string: S-1-16-8192. The RID value of 8192 is the decimal equivalent of 0x2000.

    Sending this AV_PAIR is affecting TS Gateway connectivity. With some servers, sending it "fixes" connectivity, while it breaks it for others. In this case, shouldn't there be more information given out about the values, for the sake of interoperability?

    Wednesday, January 09, 2013 9:09 PM
  • Hi Marc Andre,

    Thank you for your contribution.  An engineer will contact you soon regarding your follow-up question "shouldn't there be more information given out about the values, for the sake of interoperability?"


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Thursday, January 10, 2013 4:54 PM
    Moderator
  • Hi Marc

    Thank you for contacting Microsoft Support. I have taken ownership of this request and appreciate if you can share additional details on the specification that has missing information. Is it MS-NLMP or MS-TSGU or any other windows open specification?

    As additional information, Values of Integrity Level are defined in section 2.4.2.4 of MS-DTYP: http://msdn.microsoft.com/en-us/library/cc980032.aspx as well.

    Regards


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team



    Thursday, January 10, 2013 5:14 PM
  • Hi Marc

    Appreciate if you can share inputs.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, January 16, 2013 11:14 PM
  • Hi Marc

    We are still looking forward to your inputs.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, January 21, 2013 5:18 PM
  • Hi Marc

    I am going to be archiving this issue. If you wish to continue investigating this matter in future, kindly feel free to contact us by posting a new request on this very forum or via dochelp (at) microsoft (dot) com .

    We will be glad to assist.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, January 24, 2013 10:29 PM