none
MS-SIPAE - 3.3.2 session timer incorrect? RRS feed

  • Question

  • Dear MS documentation team,

    We experience that the NTLM security association sometimes gets "stale" before the described 8 hours (at 3.3.2).

    "When the NTLM or Kerberos authentication handshake completes and the SA enters the "established" state, the SIP server MUST start an SA expiration timer with a value of 8 hours."

    We implemented the recommended handshake 5 minuted earlier as recommended. "A value of five (5) minutes or longer is recommended (SHOULD)" At this time sometimes the old security association is already deleted on the server.

    Our current assumption is that the time is not a fixed value (8 hours) but rather a variable timeframe (which would make sense from a load perspective).

    Regards

    Tim Koehler
    Wednesday, October 7, 2009 9:02 AM

Answers

  • Tim,

    I will archive the information that we have received thus far. If you wish for us to continue an investigation into this matter, feel free to post in the future.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team
    Wednesday, November 4, 2009 3:57 PM

All replies

  • Hi Tim, thanks for your post regarding the [MS-SIPAE] protocol specification. I have alerted my team to this, and one of us will contact you soon.

    Regards,
    Bill Wesse

    Escalation Engineer
    Wednesday, October 7, 2009 12:36 PM
  • Tim,

    Thanks for the question about MS-SIPAE and the 8 hour expiration issue you're observing.  I'll be looking into this for you.  In the meantime, could you fill in some details for me? 

    1. what version of server are you using?
    2. do you have any trace or other data you can share with me?

    You can respond to EMAIL GONE with data if you'd prefer.  Just reference my name and attach the information and description, title, etc... from this forum.


    Regards, Tom Jebo Senior Support Escalation Engineer Microsoft DS Protocol Team
    Thursday, October 8, 2009 3:25 PM
    Moderator
  • Hi Tom,

    1. 2007 R2 -- RTCC/3.5.0.0 (Standard Edition on Windows Server 2008)
    2. Theroetically yes, but the only thing you see is that the server sends back an "unauthorized" before the 8 hours are "over". In the Eventlog of the server there then is an entry telling that the NTLM-session is in a stale state. The interesting thing though it happens in different environments, with different connection types, etc. so we assume it's a more general thing. --> The session is not 8 hours long as "promised" in the Documentation.

    Btw. snom has a federation with Microsoft, I also know who might help with these questions, feel free to ping me (EMAIL REMOVED). I can then also share desktop, etc.

    Cheers

    Tim



    Thursday, October 8, 2009 5:03 PM
  • Tim,

    Your email was removed from the post.  Please send an email to EMAIL GONE and we can discuss. 


    Regards, Tom Jebo Senior Support Escalation Engineer Microsoft DS Protocol Team
    Thursday, October 8, 2009 7:06 PM
    Moderator
  • Sorry Tim, mine was removed also.  Just email "dochelp" and the domain is winse.microsoft.com.


    Regards, Tom Jebo Senior Support Escalation Engineer Microsoft DS Protocol Team
    Thursday, October 8, 2009 7:14 PM
    Moderator
  • Tim,

    We still have not received any trace from you. Do you wish us to still investigate this issue?

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team
    Monday, November 2, 2009 4:52 PM
  • Tim,

    I will archive the information that we have received thus far. If you wish for us to continue an investigation into this matter, feel free to post in the future.

    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team
    Wednesday, November 4, 2009 3:57 PM