28 Ağustos 2011 Pazar 18:51have the following question about Windows SSPI. I have made an app that has to authorize with a server: using protocol MS-SIPAE in NTLM mode. The app uses SSPI.
See http://msdn.microsoft.com/en-us/library/cc431510.aspx. about the MS-SIPAE. There is the following step there (http://msdn.microsoft.com/en-us/library/dd946897.aspx): “The protocol client uses an authentication protocol GSS_GetMIC() call, as specified in [MS-NLMP] section 3.1.4 for NTLM, and in [RFC2743] section 2.3.1 for Kerberos, to generate a signature token for the buffer constructed in the preceding step 2 using the authentication protocol context stored in the SA. ”
The question is: what exactly corresponds to the abstract “GSS_GetMIC” in SSPI API? In SSPI I have found a function named MakeSignature – seems this is what I need. Also an MSDN articlehttp://msdn.microsoft.com/en-us/library/ms995331.aspx seems to confirm this. Can someone confirm this conclusion? And how exactly should I use the MakeSignature to have it corresponding to “GSS_GetMIC” ?
28 Ağustos 2011 Pazar 21:02Moderatör
SSPI is not covererd in Open Specification documentation. But it is well documented on MSDN. MakeSignature is corresponding to GSS_GetMIC function as indicated on http://msdn.microsoft.com/en-us/library/aa380496(v=VS.85).aspx.
The following article contains the documentation for MakeSignature including a sample. http://technet.microsoft.com/en-us/library/bb742535.aspx
Hongwei Sun -MSFT
- Yanıt Olarak Öneren Hongwei Sun-MSFTMicrosoft Employee, Moderator 28 Ağustos 2011 Pazar 21:02
29 Ağustos 2011 Pazartesi 08:22
Thank you for the response. But I would like to get more details of the
[MS-SIPAE] – because of my application receives HRESULT="0xC3E93EC8(SIP_E_AUTH_INVALIDSIGNATURE)" from the server all the time.
Because of the “INVALIDSIGNATURE” is sent back, I suppose I did something wrong on 126.96.36.199, Step 3. This is where I create a buffer that looks like “<NTLM><0f69ec40><1><SIP Communications Service>…..”. So I have the following questions:
1. What the words “Note that for the NTLM Security Support Provider Interface (SSPI), the protocol client provides a fixed message sequence number of 100 in addition to the buffer and protocol context” mean? Does it mean I should call MakeSignature with MessageSeqNo=100? And what should I put into CSeq header field: 100? Or just a next sequence number (3 in my case)? I cannot understand this
2. What should I put into fQOP of the MakeSignature? It is described as “Package-specific flags that indicate the quality of protection” – what should be put into it for the NTLM I use?
3. I looked in protocol examples on http://msdn.microsoft.com/en-us/library/cc431510.aspx and see the following contradictions.
On http://msdn.microsoft.com/en-us/library/dd924859(v=office.12).aspx the buffer looks as follows: “<Kerberos><1d7d4ecf><SIP Communications Service><sip/server.contoso.com><c7142b90f8c94668807a382f552a6770><2><REGISTER><firstname.lastname@example.org><604168c9c0><email@example.com><9588410E2DA11CEE9D0AE7733E07830F><><><>”. Why the cnum is omitted – it should be 3<sup>rd</sup> element? Why the “The tag parameter value from the To header field” is specified (“<9588410E2DA11CEE9D0AE7733E07830F>”)? The tag is absent in the To header in fact: I see “To: <sip:firstname.lastname@example.org>” below, without any tag. Is this just a misprint; or I do not understand something in the protocol. The buffer in TLSDSK example (http://msdn.microsoft.com/en-us/library/ff530353(v=office.12).aspx ) corresponds to the protocol exactly; so the example http://msdn.microsoft.com/en-us/library/dd924859(v=office.12).aspx contains errors?
12 Eylül 2011 Pazartesi 17:24Moderatör
I will be looking into this for you and will get back to you shortly.
Microsoft Open Specifications
20 Eylül 2011 Salı 14:26Moderatör
Just an update, your question #1 was answered on this thread. Here's what was given as the response, let me know if that's not clear enough:
"Section 3.4.4 of MS-NLMP says "In the case of connectionless NTLM authentication, the SeqNum parameter SHOULD be specified by the application". When using NTLM in the context of MS-SIPAE, the SeqNum value supplied by the application is always 100. The actual value that ends up in the NTLMSSP_MESSAGE_SIGNATURE might be different and it depends on security flags negotiated by the NTLM during SA establishement (see section 3.4.4 of MS-NLMP)."
I'll get back to you on #2 and #3.
03 Ekim 2011 Pazartesi 20:44Moderatör
Can you send me an email at dochelp at Microsoft dot com. In the email, if you could include a few things:
1) a netmon capture of the traffic (with side file of the certificate) between the server and your client. Include in the capture, the hand shake between server and client.
2) a brief description of the scenario (what your trying to accomplish from a high level)
3) the server type and version information
Thanks for your patience,
Microsoft Open Specifications
02 Aralık 2011 Cuma 23:28Moderatör
I haven't seen a response to this issue via either dochelp or this forum thread. Was it resolved? I’m going to close this on our end. But, if this still requires attention, please contact us.
- Yanıt Olarak İşaretleyen Tom JeboMicrosoft Employee, Moderator 21 Mayıs 2012 Pazartesi 19:06