none
Use NetrLogonSamLogonEx for NTLMv2 pass-through authentication RRS feed

  • Question

  • Our proxy acts as a domain member and we are looking for a solution to perform NTLMv2 pass-through authentication. NetrLogonSamLogonEx API provide such authentication by using LogonLevel NetlogonGenericInformation (4). NTLMv2 consider Server host name and other security enhancements in NTLM Type3 message, would NetrLogonSamLogonEx API complete NTLMv2 pass-through authentication if called from the proxy?

    Tuesday, June 14, 2011 12:10 AM

Answers

  • Janis,

     

    Since we do not control the whole client/server ecosystem, we can only speak to the known scenarios that the protocols were specified upon.

     

    As documented in MS-APDS and MS-NRPC, there are three roles involved in NTLM pass-through authentication: the client, the server, and a domain controller.

     

    The server does pass-through authentication to the Netlogon secure channel and gets a session key back from the DC. The DC will only send the session key to the server that issued the challenge (see MS-NLMP for details).

     

    One type of target name validation is service binding done by the server. The other type is done by the DC based on canonical names in the challenge, so that the DC only releases a session key to the server that issued the challenge. This is one reason why a man-in-the-middle cannot get session keys for authentications to which it is not a party.

     

    Regards,

    Edgar

    Thursday, June 30, 2011 4:08 PM
    Moderator

All replies

  • Hi,

    Thank you for your question regarding NTLMv2 pass-through authentication. One of our engineers will follow-up on this soon.

    Thanks,

    Edgar

    Tuesday, June 14, 2011 3:31 AM
    Moderator
  • Janis,

    Since you sent the same request to us on Dochelp, I will be handling this offline via email. Later on, I will be posting a summary of the resolution on this thread.

    Regards,

    Edgar

    Thursday, June 23, 2011 8:43 PM
    Moderator
  • Janis,

     

    Since we do not control the whole client/server ecosystem, we can only speak to the known scenarios that the protocols were specified upon.

     

    As documented in MS-APDS and MS-NRPC, there are three roles involved in NTLM pass-through authentication: the client, the server, and a domain controller.

     

    The server does pass-through authentication to the Netlogon secure channel and gets a session key back from the DC. The DC will only send the session key to the server that issued the challenge (see MS-NLMP for details).

     

    One type of target name validation is service binding done by the server. The other type is done by the DC based on canonical names in the challenge, so that the DC only releases a session key to the server that issued the challenge. This is one reason why a man-in-the-middle cannot get session keys for authentications to which it is not a party.

     

    Regards,

    Edgar

    Thursday, June 30, 2011 4:08 PM
    Moderator