I'm implementing a SIP server with NTLM auth according to the MS-SIPAE and MS-NLMP specs. When a client using SSPI connects to my server, the NTLM session appears to be established correctly (i.e. the CHALLENGE_MESSAGE and AUTHENTICATE_MESSAGE are exchanged properly and the first signed REGISTER response from the server is accepted by the client). However, every message following the first fails signature verification (i.e. the SSPI VerifySignature function is returning 0x8009030f SEC_E_MESSAGE_ALTERED).I can provide trace logs on request.
My server implementation works with the Pidgin client using SIPE if configured with its own NTLM implementation, but fails when it's configured to use SSPI.
Is it possible that SSPI implements NTLM signature verification differently than how it's described in the MS-SIPAE or MS-NLMP docs?
- Edited by Eden Li Tuesday, December 18, 2012 9:00 PM
I have taken ownership of this inquiry and will be assisting you. Can you please send network trace to my attention, Tarun Chopra, to dochelp at microsoft dot com for further analysis ? Furthermore, please confirm if you are using extended sesstion security.
Tarun Chopra | Escalation Engineer | Open Specifications Support Team