none
MS-SIPAE <-> SSPI: MakeSignature is 'GSS_GetMIC’? RRS feed

  • Question

  •  have the following question about Windows SSPI. I have made an app that has to authorize with a server: using protocol MS-SIPAE in NTLM mode. The app uses SSPI.
    See http://msdn.microsoft.com/en-us/library/cc431510.aspx. about the MS-SIPAE. There is the following step there (http://msdn.microsoft.com/en-us/library/dd946897.aspx): “The protocol client uses an authentication protocol GSS_GetMIC() call, as specified in [MS-NLMP] section 3.1.4 for NTLM, and in [RFC2743] section 2.3.1 for Kerberos, to generate a signature token for the buffer constructed in the preceding step 2 using the authentication protocol context stored in the SA. ”

    The question is: what exactly corresponds to the abstract “GSS_GetMIC” in SSPI API? In SSPI I have found a function named MakeSignature – seems this is what I need. Also an MSDN articlehttp://msdn.microsoft.com/en-us/library/ms995331.aspx seems to confirm this. Can someone confirm this conclusion? And how exactly should I use the MakeSignature to have it corresponding to “GSS_GetMIC” ?

    Sunday, August 28, 2011 6:51 PM

Answers

  • Glen,

    I haven't seen a response to this issue via either dochelp or this forum thread. Was it resolved? I’m going to close this on our end. But, if this still requires attention, please contact us.

    Tom

    Friday, December 2, 2011 11:28 PM
    Moderator

All replies

  • Hi, Glen,

       SSPI is not covererd in Open Specification documentation.  But it is well documented on MSDN.    MakeSignature is corresponding to GSS_GetMIC function as indicated on http://msdn.microsoft.com/en-us/library/aa380496(v=VS.85).aspx.   

      The following article contains the documentation for MakeSignature including a sample.  http://technet.microsoft.com/en-us/library/bb742535.aspx

    Thanks!

     

     

     


    Hongwei Sun -MSFT
    Sunday, August 28, 2011 9:02 PM
  • Thank you for the response. But I would like to get more details of the

     [MS-SIPAE] – because of my application receives HRESULT="0xC3E93EC8(SIP_E_AUTH_INVALIDSIGNATURE)" from the server all the time. 

    Because of the “INVALIDSIGNATURE” is sent back, I suppose I did something wrong on  3.2.4.1, Step 3. This is where I create a buffer that looks like “<NTLM><0f69ec40><1><SIP Communications Service>…..”. So I have the following questions:

     

    1.      What the words “Note that for the NTLM Security Support Provider Interface (SSPI), the protocol client provides a fixed message sequence number of 100 in addition to the buffer and protocol context” mean? Does it mean I should call MakeSignature with MessageSeqNo=100? And what should I put into CSeq header field: 100? Or just a next sequence number (3 in my case)? I cannot understand this

    2.      What should I put into fQOP of the MakeSignature? It is described as “Package-specific flags that indicate the quality of protection” – what should be put into it for the NTLM I use?

    3.      I looked in protocol examples on http://msdn.microsoft.com/en-us/library/cc431510.aspx and see the following contradictions.

    On http://msdn.microsoft.com/en-us/library/dd924859(v=office.12).aspx the buffer looks as follows: “<Kerberos><1d7d4ecf><SIP Communications Service><sip/server.contoso.com><c7142b90f8c94668807a382f552a6770><2><REGISTER><alice@contoso.com><604168c9c0><alice@contoso.com><9588410E2DA11CEE9D0AE7733E07830F><><><>”. Why the cnum is omitted – it should be 3<sup>rd</sup> element? Why the “The tag parameter value from the To header field” is specified (“<9588410E2DA11CEE9D0AE7733E07830F>”)? The tag is absent in the To header in fact: I see “To: <sip:alice@contoso.com>” below, without any tag. Is this just a misprint; or I do not understand something in the protocol. The buffer in TLSDSK example (http://msdn.microsoft.com/en-us/library/ff530353(v=office.12).aspx ) corresponds to the protocol exactly; so the example http://msdn.microsoft.com/en-us/library/dd924859(v=office.12).aspx contains errors?

    Monday, August 29, 2011 8:22 AM
  • Hi Glen,

    I will be looking into this for you and will get back to you shortly.

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications

    Monday, September 12, 2011 5:24 PM
  • Hi Glen,

    Just an update, your question #1 was answered on this thread.  Here's what was given as the response, let me know if that's not clear enough:

    "Section 3.4.4 of MS-NLMP says "In the case of connectionless NTLM authentication, the SeqNum parameter SHOULD be specified by the application". When using NTLM in the context of MS-SIPAE, the SeqNum value supplied by the application is always 100. The actual value that ends up in the NTLMSSP_MESSAGE_SIGNATURE might be different and it depends on security flags negotiated by the NTLM during SA establishement (see section 3.4.4 of MS-NLMP)."

    I'll get back to you on #2 and #3.

    Tom

     

    Tuesday, September 20, 2011 2:26 PM
  • Hey Glen,

    Can you send me an email at dochelp at Microsoft dot com.  In the email, if you could include a few things:

    1) a netmon capture of the traffic (with side file of the certificate) between the server and your client.  Include in the capture, the hand shake between server and client.

    2) a brief description of the scenario (what your trying to accomplish from a high level)

    3) the server type and version information

    Thanks for your patience,

    Tom Jebo

    Escalation Engineer

    Microsoft Open Specifications

     

    Monday, October 3, 2011 8:44 PM
    Moderator
  • Glen,

    I haven't seen a response to this issue via either dochelp or this forum thread. Was it resolved? I’m going to close this on our end. But, if this still requires attention, please contact us.

    Tom

    Friday, December 2, 2011 11:28 PM
    Moderator