none
How to calculate 'mechListMIC' for spnego-api(ntlmssp) accept-completed(0) state? RRS feed

  • Question

  • Hi,

    I am trying to develop a SMB2 implementation of my own. I need some information on the authentication of SPNEGO and NTLMSSP (supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider). I am using Windows 7 client and Windows 2008 R2 server.

    I am using NTLMv2 and my flags setting is - Flags: 0xe2898215 (Negotiate Extended Security, Always Sign, NTLM key & Negotiate Sign are SET in flags). Also I am using the sequence number and session id properly in corresponding SMB2 Header.

    When I received (mechListMIC: 01000000c720d5a305636bdb00000000) from negTokenTarg request of SMB2 SessionSetup Request, NTLMSSP_AUTH, User: Domain\user, Unknown message type

    I tried to send back the SMB2 SessionSetup Response, Unknown message type response to receive SMB2 TreeConnect Request Tree: \\x.0.0.x\IPC$ from client. But I failed to receive the tree connect request.

    I don’t know how to generate the mechListMIC (e.g. mechListMIC: 01000000c720d5a305636bdb00000000) for NTLMSSP negTokenTarg, negResult: accept-completed (0) state.

    I read the rfc4178 specification and Microsoft doc on SPNEGO and NTLMSSP, but I didn’t find any concrete example of how to generate this mechListMIC for response.

    Any step-by-step example of generating the mechListMIC for SessionSetup Response, Unknown message type utilizing the necessary parameters of SessionSetup Request, NTLMSSP_AUTH, User: Domain\User, Unknown message type, would be great.

    Session setup Request

    GSS-API Generic Security Service Application Program Interface
        Simple Protected Negotiation
        negTokenTarg
         negResult: accept-incomplete (1)
         responseToken: 4e544c4d5353500003000000180018008600000014011401...

         NTLM Secure Service Provider
          NTLMSSP identifier: NTLMSSP
          NTLM Message Type: NTLMSSP_AUTH (0x00000003)

          Flags: 0xe2888215
          Version 6.1 (Build 7601); NTLM Current Revision 15
          MIC: 89770465b39e8a28cab3486ba7e45bc8

          mechListMIC: 01000000c720d5a305636bdb00000000
          NTLM Secure Service Provider
          NTLMSSP identifier: \001
          NTLM Message Type: Unknown (0xdb6b6305)
          Unrecognized NTLMSSP Message
          

          HexStream:
    0000   01 00 00 00 c7 20 d5 a3 05 63 6b db 00 00 00 00  ..... ...ck.....

    Session Setup Response

    GSS-API Generic Security Service Application Program Interface
        Simple Protected Negotiation
         negTokenTarg
          negResult: accept-completed (0)
          mechListMIC: 01000000c720d5a305636bdb00000000
          
          NTLM Secure Service Provider ???
           NTLMSSP identifier: \001                                    ???
           NTLM Message Type: Unknown (0xdb6b6305)   ???
           Unrecognized NTLMSSP Message

    HexStream:

    0000   a1 1b 30 19 a0 03 0a 01 00 a3 12 04 10 01 00 00  ..0.............
    0010   00 c7 20 d5 a3 05 63 6b db 00 00 00 00           .. ...ck.....

    I cannot understand how to create the mechListMIC (NTLMSSP Identifier & Message Type) in Session setup response to receive the tree connect request from client.


    Thanks,
    Shishir                                                                                




    • Edited by Shishir.Saha Wednesday, October 24, 2012 3:04 PM
    Wednesday, October 24, 2012 2:48 PM

Answers

All replies

  • Hi Shishir,

    Thank you for posting on the MSDN Forum. One of our support engineers will respond soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Wednesday, October 24, 2012 6:24 PM
  • Hi Shishir

    Thanks for contacting Microsoft Support. Per your post, I beleive you are implementing server endpoint of SMB2 and your custom application is acting as SMB2 server and client is win7. Is that understanding correct ? I would request you to read MS-SPNG http://msdn.microsoft.com/en-us/library/cc247021(prot.20).aspx specification which is Microsoft Extension to RFC 4178. Also, can you please send network trace to my attention at : dochelp at microsoft dot com for further analysis.

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, October 24, 2012 8:17 PM
  • Hi Tarun,

    Thanks a lot for your prompt reply. I'll send you the network trace shortly.

    Thanks,

    Shishir

    Thursday, October 25, 2012 7:00 AM