none
PKU2U vs NTLM RRS feed

  • Question

  • When does two windows systems use PKU2U Authentication mechanism while using file shares?

    I have found that in all cases they use NTLM.

    And how does NegoEX (SPNEGO) work when NTLM authentication is the only one supported? According to NTLM the first token should be sent only from client, what will NegoEx send as initial token from the server side?

    Will there is any document from Microsoft about its implementation of PKU2U authentication mechanism other than the link to draft proposal?

    Friday, March 25, 2011 5:34 PM

Answers

  • Hi, Rajesh,

       Yes, NegoEx will not negotiate NTLM.  NTLM will be negotiated by SPNEGO Negotiate SSP.  The following diagram may make it clear.

                                  Negotiate SSP (MS-SPNG)

                           |                    |                       |

                   Kerberos SSP        NTLM SSP         NegoEx SSP

                                                                         |

                                                                  PKU2U SSP  and more custom SSP supporting NegoEx interface as specified in the draft.

         Also in NegoTokenInit packet , it will be listed as follows

         - NegTokenInit:
              + SequenceHeader:
              + Tag0:
              - MechTypes: Prefer Negoex (1.3.6.1.4.1.311.2.2.30)
              + SequenceHeader:
              + MechType: Negoex (1.3.6.1.4.1.311.2.2.30)
              + MechType: NLMP (1.3.6.1.4.1.311.2.2.10)

        If it does negotiate NTLM,  then it will be negotiated by SPENGO itself, not by NegoEx.  To answer your question for the initial token sent by the server, you have to understand it from the context of SPNEGO and NTLM, not NegoEx.   The initial token from the server is NegoInitToken2 token that contains the security machnism support by the server, in your case, only NTLM.   Then the client will pick up  NTLM as security package and send NegTokenInit token containing NTLM_NEGOTIATE_MESSAGE token , which is the first token initiated by a NTLM client as you described. 

        So you are right that NTLM should start with the  NTLM_NEGOTIATE_MESSAGE  from the client, but before that the server will send the client a NegoTokenInit2 token to start mechanism negotiation.  Please see MS-SPNG (http://msdn.microsoft.com/en-us/library/cc247021(PROT.13).aspx) for details. 

       Hope it helps.

    Thanks!


    Hongwei Sun -MSFT
    Sunday, April 3, 2011 6:26 PM

All replies

  • Hi Rajesh:

    I have alerted the protocol documentation team about your inquiry. a member of the team will be in touch soon.


    Regards, Obaid Farooqi
    Friday, March 25, 2011 8:16 PM
    Owner
  • Hi, Rajesh,

     

       PKU2U authentication is used in Windows 7 computers for file sharing in Homegroup.  User has to set up online ID integration in Windows 7 by explicitly linking their Windows user account to an Online ID.   The following links are the information for you to use PKU2U with Homegroup:

     

    ·          http://technet.microsoft.com/en-us/library/dd560634(WS.10).aspx  Introducing PKU2U in Windows

    ·          http://technet.microsoft.com/en-us/library/dd560662(WS.10).aspx  Introducing Online Identity Integration

    ·          http://technetnepal.net/blogs/gandip/archive/2010/03/02/online-identity-integration-in-windows-7.aspx  Online Identity Integration in Windows 7

    ·          http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx An Introduction to Security in Windows 7

     

     

       NegoEx is an new SSP that can be negotiated by the Negotiated SSP.  It is in the same layer as NTLM and Kerberos SSP.   NegoEx can then negotiate more authentication protocols.   PKU2U is the only supported SSP loaded by NegoEx by default in Windows 7.  The NegoEx and PKU2U are mainly specified in the draft proposals (http://tools.ietf.org/id/draft-zhu-negoex-02.txt  and http://tools.ietf.org/id/draft-zhu-pku2u-09.txt ).   It is also described in some of the open protocol documentation in terms of the relationship to other protocols.

     

    ·          http://msdn.microsoft.com/en-us/library/cc247021(v=prot.13).aspx   [MS-SPNG]  section 1.4

    ·          http://msdn.microsoft.com/en-us/library/ee392725(v=prot.10).aspx   [MS-AUTHSO] section 3.3

     

        If only NTLM is available  (no Kerberos),  the NegoEx and NTLM will be listed in the NegTokenInit token as the only available MechTypes.  NegoEx will be picked before NTLM.

     

       Please let us know if you have more questions.

     

    Thanks!

     

    Hongwei

     

     


    Hongwei Sun -MSFT
    Tuesday, March 29, 2011 10:56 PM
  • Hi Hongwei,

    Thank you for all the link related to PKU2U.

    As you have said above that if NTLM is only available,  NegoEx and NTLM will be listed. But the purpose of NegoEx is to negotiate differnte authentication protocols. And you have also mentioned that PKU2U is only supported SSP.

    Does that mean NegoEx will not negotiate NTLM?

    If it does negotiate NTLM, then what will it put in initial token which is sent from the server? According to NTLM there is nothing that server should send at first. NTLM should be started from client side.

    Let me know if my question is clear or not.

     

    Thanks

    Rajesh

    Thursday, March 31, 2011 4:12 AM
  • Hi, Rajesh,

       Yes, NegoEx will not negotiate NTLM.  NTLM will be negotiated by SPNEGO Negotiate SSP.  The following diagram may make it clear.

                                  Negotiate SSP (MS-SPNG)

                           |                    |                       |

                   Kerberos SSP        NTLM SSP         NegoEx SSP

                                                                         |

                                                                  PKU2U SSP  and more custom SSP supporting NegoEx interface as specified in the draft.

         Also in NegoTokenInit packet , it will be listed as follows

         - NegTokenInit:
              + SequenceHeader:
              + Tag0:
              - MechTypes: Prefer Negoex (1.3.6.1.4.1.311.2.2.30)
              + SequenceHeader:
              + MechType: Negoex (1.3.6.1.4.1.311.2.2.30)
              + MechType: NLMP (1.3.6.1.4.1.311.2.2.10)

        If it does negotiate NTLM,  then it will be negotiated by SPENGO itself, not by NegoEx.  To answer your question for the initial token sent by the server, you have to understand it from the context of SPNEGO and NTLM, not NegoEx.   The initial token from the server is NegoInitToken2 token that contains the security machnism support by the server, in your case, only NTLM.   Then the client will pick up  NTLM as security package and send NegTokenInit token containing NTLM_NEGOTIATE_MESSAGE token , which is the first token initiated by a NTLM client as you described. 

        So you are right that NTLM should start with the  NTLM_NEGOTIATE_MESSAGE  from the client, but before that the server will send the client a NegoTokenInit2 token to start mechanism negotiation.  Please see MS-SPNG (http://msdn.microsoft.com/en-us/library/cc247021(PROT.13).aspx) for details. 

       Hope it helps.

    Thanks!


    Hongwei Sun -MSFT
    Sunday, April 3, 2011 6:26 PM
  • Hi Hongwei,

    Thank you for very good explanation. I think my doubts are not cleared.

    Rajesh

    Monday, April 4, 2011 2:45 AM