none
Exchange authentication services ids RRS feed

  • Question

  • Hello all,

    During traffic analyze I run into following situation:
    there is authentication verifier structure that has auth_type field in RPC packet.
    According OpenGroup's "DCE 1.1 Remote Procedure Call" doc it should have only two possible values:
    dce_c_rpc_authn_protocol_none = 0
    dce_c_rpc_authn_protocol_krb5 = 1

    However in my case it can be only
    0x00 for "non-encrypted" settings in email account (it is dce_c_rpc_authn_protocol_none)
    0x09 for "Kerberos/NTLM Password Authentication"
    0x0A for "Password Authentication (NTLM)"
    0x10 for "Kerberos Password Authentication"

    so is 0x10 equivalent to 0x1 of standard ?
    is it exactly kerberos V ?
    and what is 0x09 - where can I read about this scheme ?


    Thank you,
    Sergiy


    Thanks
    Friday, July 11, 2008 2:37 PM

Answers

All replies

  • You might find the information you are looking for in the MS-RPCE specification:
    http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-RPCE%5D.pdf
    Specification section 2.2.1.1.7

    Not much Microsoft does is "exactly" standard :-)

    The Kerberos Extensions are documented in:
    http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-KILE%5D.pdf

    Hope this helps.

    Brad

    Saturday, July 12, 2008 11:58 AM
  •  Hi Sergiy, thanks for your post. We will review your question and update the forum once our investigation is complete.
     
    Thanks!
    John Dunning
    Escalation Engineer Microsoft Corporation
    US-CSS DSC PROTOCOL TEAM
    Saturday, July 12, 2008 2:38 PM
  • Hi Sergiy,
         Could you obtain a network capture for me using either Wireshark or preferably Netmon 3.0? That would really help me in understanding your questions.

    Thanks!
    John Dunning
    Escalation Engineer Microsoft Corporation
    US-CSS DSC PROTOCOL TEAM
    Monday, July 14, 2008 4:31 PM
  • Any feedback?
    Developer Consultant
    Thursday, August 7, 2008 12:48 AM
    Moderator
  • No feedback so I'm assuming that this question has been answered.
    Developer Consultant
    Friday, August 8, 2008 5:50 PM
    Moderator