none
MIC field in AUTHENTICATE_MESSAGE mondatory or optional RRS feed

  • Question

  •     I am wondering if MIC value in AUTHENTICATE_MESSAGE is a mandatory value or an optional value? MS-NLMP.pdf document doesn't mention that MIC is an optional value during the description for the field in AUTHENTICATE_MESSAGE. It has following description.

        <snip>

        MIC (16 bytes): The message integrity for the NTLM NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE, and AUTHENTICATE_MESSAGE.

        </snip>

        However while describing MsvAvFlags, it does mention that value 0x00000002 indicates that client providing message integrity in MIC field.

        <snip>

        MsvAvFlags - 0x0006
                   A 32-bit value indicating server or client configuration.
                         0x00000001: Indicates to the client that the account authentication is constrained.
                         0x00000002: Indicates that the client is providing message integrity in the MIC field (section 2.2.1.3) in the AUTHENTICATE_MESSAGE.

        </snip>

         Also in there is no mention of AV_PAIR values in AUTHENTICATE_MESSAGE other-than NTLMv2 client challenge. So does this mean that with NTLMv1, message integrity in MIC field is either mandatory or doesn't contain valid message integrity in MIC field?

    Thursday, May 5, 2016 12:16 PM

Answers

  • Hi Prasad:

    MIC is optional and is only used in NTLMv2 authentication.

    The optionality of this field can be inferred from the fact that the MS-NLMP document only recommends to send it in the following condition (section “3.1.5.1.2 Client Receives a CHALLENGE_MESSAGE from the Server”):

    “If the CHALLENGE_MESSAGE TargetInfo field (section 2.2.1.2) has an MsvAvTimestamp present, the client SHOULD provide a MIC..."

    The fact that MIC is not used in NTLMv1 can be inferred from several sections in the document. For example, in section “3.3.1 NTLM v1 Authentication”, you will notice that MIC is not verified, not even mentioned. You provided the other proof that MIC is not used in NTLMv1 since AV_PAIRS are not present in NTLMv1 authenticate message as evidenced by section “2.2.2.7 NTLM v2: NTLMv2_CLIENT_CHALLENGE”.

    Please let me know if this does not answer your question.

    Also please let me know if you have any more questions on MS-NLMP or any other document in the open specifications document set, available at https://msdn.microsoft.com/library/dd208104.aspx

     


    Regards, Obaid Farooqi

    Thursday, May 5, 2016 5:44 PM
    Owner

All replies

  • Hello Prasad,

    Thank you for your question. One of our team members will respond to you shortly.

    Thanks,
    Kamil Sykora

    Thursday, May 5, 2016 1:14 PM
  • Hi Prasad:

    I'll help you with this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Thursday, May 5, 2016 3:45 PM
    Owner
  • Hi Prasad:

    MIC is optional and is only used in NTLMv2 authentication.

    The optionality of this field can be inferred from the fact that the MS-NLMP document only recommends to send it in the following condition (section “3.1.5.1.2 Client Receives a CHALLENGE_MESSAGE from the Server”):

    “If the CHALLENGE_MESSAGE TargetInfo field (section 2.2.1.2) has an MsvAvTimestamp present, the client SHOULD provide a MIC..."

    The fact that MIC is not used in NTLMv1 can be inferred from several sections in the document. For example, in section “3.3.1 NTLM v1 Authentication”, you will notice that MIC is not verified, not even mentioned. You provided the other proof that MIC is not used in NTLMv1 since AV_PAIRS are not present in NTLMv1 authenticate message as evidenced by section “2.2.2.7 NTLM v2: NTLMv2_CLIENT_CHALLENGE”.

    Please let me know if this does not answer your question.

    Also please let me know if you have any more questions on MS-NLMP or any other document in the open specifications document set, available at https://msdn.microsoft.com/library/dd208104.aspx

     


    Regards, Obaid Farooqi

    Thursday, May 5, 2016 5:44 PM
    Owner
  • Hi Obaid,

        Thanks for clarifications, this information should be sufficient to serve my purpose of this post. However what I had observed is, Windows 7 SP1 client does seem to send MIC even-though client sending NTLMv1 authentication message. This is little mis-leading (that added confusion initially) though it behavior is not wrong. You can consider this thread closed.

        Thank you once again for your prompt reply.


    • Edited by Prasad JVV Monday, May 9, 2016 9:24 AM Grammer correction
    Monday, May 9, 2016 9:23 AM
  • Hi Prasad:

    I find it strange that client is using NTLMv1 authentication but sending MIC. Can you please send me the network trace that shows this behavior?

    You send an email to dochelp at Microsoft dot com to my attention.


    Regards, Obaid Farooqi

    Monday, May 9, 2016 6:29 PM
    Owner
  • Hi Obaid,

        I have sent mail with the packet trace attached to the mail-id you had mentioned.

    Regards,

    Prasad.

    Tuesday, May 10, 2016 9:45 AM