none
[MS-NLMP] and [MS-SIPAE] MAC calculation without NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY RRS feed

  • Question

  • I'm writing an NTLM library to use for a client that is connecting to a LCS server (so NTLM with Connectionless oriented call flow as per MS-SIPAE) and I have found the following issue:

    When connecting to the LCS server using NTLMv1 or v2 authentication without negotiated NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY I am unable to correctly calculate MAC value using the algorithm in 3.4.4.1 of the MS-NLMP document. However if I modify the NTLMRevisionCurrent in the VERSION structure sent to the server to be 0x0A instead of 0x0F I am then able to correctly calculate the MAC value - however it requires NOT reinitializing the sealing key as per section 3.4 of MS-NLMP. I am able to calculate the correct MAC value when NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is negotiated,

    I believe there may be an issue with the documentation when calculating the MAC without negotiated NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY and I am unable to figue out what the actual algorithm used is.

    Wednesday, November 14, 2012 8:04 PM

Answers

  • Thanks to some excellent help from Obaid this has been solved. In the case where NTLMRevisionCurrent was set to 0xF I needed to treat the seal key calculation as if NTLMSSP_NEGOTIATE_LM_KEY was set, this changed the key used for the MAC calculation and provided the correct signature.
    Monday, December 10, 2012 1:40 PM

All replies

  • Hi conorhr, thank you for your question. A member of the protocol documentation team will respond to you soon.


    Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team

    Wednesday, November 14, 2012 9:39 PM
    Moderator
  • Hi Conorhr:

    I will help you with this issue.

    Can you please send network traces exhibiting the behavior you described? Please send both error and success scnarios without extended session security as well as the success scenario with extended session security. I will also need the password to verify the calculations. You can send the info to my attention to dochelp at microsoft dot com.


    Regards, Obaid Farooqi

    Friday, November 16, 2012 3:45 PM
    Owner
  • Thank you. I have collected up these network traces and I am sending them over now with the password to that email address.
    Friday, November 16, 2012 6:33 PM
  • Thanks to some excellent help from Obaid this has been solved. In the case where NTLMRevisionCurrent was set to 0xF I needed to treat the seal key calculation as if NTLMSSP_NEGOTIATE_LM_KEY was set, this changed the key used for the MAC calculation and provided the correct signature.
    Monday, December 10, 2012 1:40 PM