none
Using SSPI to generate initial client SPNEGO security blob for SMB2 Session Setup Request

    Question

  • I have read the blog post "Authentication 101" by Obaid Farooqi and run the SSPI sample code provided here, but unfortunately am having difficulty replicating the SPNEGO network traffic described in the article. Instead, the security data blob returned by InitializeSecurityContext() in the output parameter `PSecBufferDesc pOutput` and subsequently put on the wire simply begins with the characters NTLMSSP as opposed to looking like a GSSAPI/SPNEGO header. The client/server exchange in the sample succeeds, but I am at a loss as how to initialize a SMB2 SPNEGO security blob with SSPI.

    The test was performed on Windows 10 Pro, which means there is no Kerberos in sight. But in this instance, I want the client to send a SPENGO blob with the one mech type available to the client, namely NTLM. Ultimately what I am trying to accomplish is to send a client initiated SMB2 Session Setup Request with OID SPNEGO, MechType NTLMSSP, and NTLM Message Type `NTLMSSP_NEGOTIATE`. Any insight on how I might do this using the SSPI APIs would be appreciated.
    Friday, April 21, 2017 6:02 AM

Answers

  • Forum update:

    This issue is resolved. Here is the solution to this problem.

    To use SPNEGO, windows SSPI introduced a NegTokenInit2 token that is generated by Server before client sends any security token. It is described in MS-SPNG section "3.2.5.2 NegTokenInit2 Variation for Server-Initiation".


    Regards, Obaid Farooqi

    Monday, May 01, 2017 6:40 PM
    Moderator

All replies

  • Hi,

    Thank you for the questions on SMB.  We have received the questions and someone will be in contact from the Windows Open Specifications support team. 

    Thanks,

    Nathan Manis

    Friday, April 21, 2017 2:38 PM
    Moderator
  • Hi Therealkenc:

    Can you please send an email to dochelp at Microsoft dot com to my attention? I need a network trace of the problem you are observing.


    Regards, Obaid Farooqi

    Saturday, April 22, 2017 4:37 AM
    Moderator
  • Forum update:

    This issue is resolved. Here is the solution to this problem.

    To use SPNEGO, windows SSPI introduced a NegTokenInit2 token that is generated by Server before client sends any security token. It is described in MS-SPNG section "3.2.5.2 NegTokenInit2 Variation for Server-Initiation".


    Regards, Obaid Farooqi

    Monday, May 01, 2017 6:40 PM
    Moderator