Open Specifications Developer Center >
Open Specifications Forums
>
Using the Office Protocols
>
MS-SIPAE - 3.3.2 session timer incorrect?
MS-SIPAE - 3.3.2 session timer incorrect?
- Dear MS documentation team,
We experience that the NTLM security association sometimes gets "stale" before the described 8 hours (at 3.3.2).
"When the NTLM or Kerberos authentication handshake completes and the SA enters the "established" state, the SIP server MUST start an SA expiration timer with a value of 8 hours."
We implemented the recommended handshake 5 minuted earlier as recommended. "A value of five (5) minutes or longer is recommended (SHOULD)" At this time sometimes the old security association is already deleted on the server.
Our current assumption is that the time is not a fixed value (8 hours) but rather a variable timeframe (which would make sense from a load perspective).
Regards
Tim Koehler
Answers
- Tim,
I will archive the information that we have received thus far. If you wish for us to continue an investigation into this matter, feel free to post in the future.
Dominic Michael Salemno
Senior Support Escalation Engineer
US-CSS DSC Protocols Team- Marked As Answer byDominic Salemno MSFTMSFT, ModeratorWednesday, November 04, 2009 3:57 PM
All Replies
- Hi Tim, thanks for your post regarding the [MS-SIPAE] protocol specification. I have alerted my team to this, and one of us will contact you soon.
Regards,
Bill Wesse
Escalation Engineer - Tim,
Thanks for the question about MS-SIPAE and the 8 hour expiration issue you're observing. I'll be looking into this for you. In the meantime, could you fill in some details for me?
1. what version of server are you using?
2. do you have any trace or other data you can share with me?
You can respond to EMAIL GONE with data if you'd prefer. Just reference my name and attach the information and description, title, etc... from this forum.
Regards, Tom Jebo Senior Support Escalation Engineer Microsoft DS Protocol Team - Hi Tom,
1. 2007 R2 -- RTCC/3.5.0.0 (Standard Edition on Windows Server 2008)
2. Theroetically yes, but the only thing you see is that the server sends back an "unauthorized" before the 8 hours are "over". In the Eventlog of the server there then is an entry telling that the NTLM-session is in a stale state. The interesting thing though it happens in different environments, with different connection types, etc. so we assume it's a more general thing. --> The session is not 8 hours long as "promised" in the Documentation.
Btw. snom has a federation with Microsoft, I also know who might help with these questions, feel free to ping me (EMAIL REMOVED). I can then also share desktop, etc.
Cheers
Tim
- Tim,
Your email was removed from the post. Please send an email to EMAIL GONE and we can discuss.
Regards, Tom Jebo Senior Support Escalation Engineer Microsoft DS Protocol Team - Sorry Tim, mine was removed also. Just email "dochelp" and the domain is winse.microsoft.com.
Regards, Tom Jebo Senior Support Escalation Engineer Microsoft DS Protocol Team - Tim,
We still have not received any trace from you. Do you wish us to still investigate this issue?
Dominic Michael Salemno
Senior Support Escalation Engineer
US-CSS DSC Protocols Team - Tim,
I will archive the information that we have received thus far. If you wish for us to continue an investigation into this matter, feel free to post in the future.
Dominic Michael Salemno
Senior Support Escalation Engineer
US-CSS DSC Protocols Team- Marked As Answer byDominic Salemno MSFTMSFT, ModeratorWednesday, November 04, 2009 3:57 PM
