[MS-SIPAE] [MS-NLMP] Getting SEC_E_MESSAGE_ALTERED errors when verifying NTLM message signature

Question

I'm implementing a SIP server with NTLM auth according to the MS-SIPAE and MS-NLMP specs.  When a client using SSPI connects to my server, the NTLM session appears to be established correctly (i.e. the CHALLENGE_MESSAGE and AUTHENTICATE_MESSAGE are exchanged properly and the first signed REGISTER response from the server is accepted by the client).  However, every message following the first fails signature verification (i.e. the SSPI VerifySignature function is returning 0x8009030f SEC_E_MESSAGE_ALTERED).

My server implementation works with the Pidgin client using SIPE if configured with its own NTLM implementation, but fails when it's configured to use SSPI.

Is it possible that SSPI implements NTLM signature verification differently than how it's described in the MS-SIPAE or MS-NLMP docs?

I can provide trace logs on request.

Answer 1

Hi Eden

 Thank you for contacting Microsoft Support. One of the Open specifications team member will contact you to assist further.

Thanks

---

Tarun Chopra | Escalation Engineer | Open Specifications Support Team

Answer 2

Hi Eden

I have taken ownership of this inquiry and will be assisting you. Can you please send network trace to my attention, Tarun Chopra, to dochelp at microsoft dot com for further analysis ? Furthermore, please confirm if you are using extended sesstion security.

Regards.

---

Tarun Chopra | Escalation Engineer | Open Specifications Support Team

Answer 3

Thank you.  I have sent a follow up email to that address.  

In the SSPI case, the client AUTHENTICATE_CHALLENGE message does not set NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.  In the non-SSPI case, it is set.

Answer 4

We were not properly reinitializing the RC4 cipher while NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY was set. Once we began doing this, the issue with message verification was resolved.