none
SMB protocol: Windows client always try Keberos authentication ignoring the SPNEGO information in the Negotiate protocol response RRS feed

  • Question

  • Hi

    I have a linux based SMB server and Windows 7 client which maps a share using SMB protocol.  Both the linux SMB server and Windows client are joined to windows domain. I want the client to authenticate using NTLMSSP not Kerberos. In order to achive this, in Negotiate Protocol  Response, SPNEGO  token has only NTLMSSP as the  supported mechanism. Inspite of receiving such a response saying only NTLMSSP is supported, windows 7 client, still tries to authenticate using Kerberos protocol.

    Please let me know if you wanted to check the packet trace showing the same.

    Thanks

    Jimmy

    Monday, July 20, 2015 1:37 PM

Answers

  • Hi Jimmy:

    I have received the traces. I am looking into them. I'll update through email and once a resolution is reached, I'll update this thread.


    Regards, Obaid Farooqi

    Thursday, July 30, 2015 4:03 PM
    Owner
  • Forum Update:

    this issue is resolved. The solution is as follow:

    As explained in MS-AUTHSOD section 2.9, windows will use Kerberos if it is available. In this case what is happening is that the windows client uses Kerberos since it is available and ignores negTokenInit2 from the server. The server should not accept the Kerberos AP-REQ optimistic token and should send  NTLM as supported Mech in negTokenResp, as explained in RFC4178 in section 3.2 (c) (II), if server wants to use NTLM authentication.


    Regards, Obaid Farooqi

    Tuesday, October 27, 2015 3:24 PM
    Owner

All replies

  • Hi,

    Thank you for this inquiry. One of our engineers will look into this and follow-up soon.

    Thanks,

    Edgar

    Wednesday, July 29, 2015 3:00 PM
    Moderator
  • Hi Jimmy:

    I'll help you with this issue. Can you please send a network trace to my attention to dochelp at Microsoft dot com?


    Regards, Obaid Farooqi

    Wednesday, July 29, 2015 4:07 PM
    Owner
  • Hi Obaid,

    I have sent the network trace over mail. Subject line of the mail is same as the subject of this thread.

    Thanks

    Jimmy

    Thursday, July 30, 2015 7:42 AM
  • Hi Jimmy:

    I have received the traces. I am looking into them. I'll update through email and once a resolution is reached, I'll update this thread.


    Regards, Obaid Farooqi

    Thursday, July 30, 2015 4:03 PM
    Owner
  • Forum Update:

    this issue is resolved. The solution is as follow:

    As explained in MS-AUTHSOD section 2.9, windows will use Kerberos if it is available. In this case what is happening is that the windows client uses Kerberos since it is available and ignores negTokenInit2 from the server. The server should not accept the Kerberos AP-REQ optimistic token and should send  NTLM as supported Mech in negTokenResp, as explained in RFC4178 in section 3.2 (c) (II), if server wants to use NTLM authentication.


    Regards, Obaid Farooqi

    Tuesday, October 27, 2015 3:24 PM
    Owner