NTLMSSP (SSPI) work with IE client ???



Hello,

I wrote a small test web server trying to talk to IE client for NTLM
authentication. I'm using SSPI AcceptSecurityContext() etc in my
server side code. I was able to get IE send me the Type-3 message with
LM and NT response hashes. But when I called AcceptSecurityContext()
again passing in these response data, it returned ACCESS LOGIN DENIED
(The logon attempt failed.etc). I checked the decoded Type-3 message
received from IE with the package generated from SSPI
(InitializeSecurityContext) which was in a test client I wrote just to
make sure my server side is working fine. I found out that the LM
response field are different in these 2 packages. In IE generated LM
response, the 24 bytes field are filled with the hash data while in
SSPI generated LM response, only the first 8 bytes are filled with
hash data and the rest 16 bytes are all 0x00. The NT response seems
all filled with hash data. I'm pretty sure this is the reason that
cause the AcceptSecurityContext() to fail but I don't know how to
solve this.

Does anyone know if a server implementing NTLMSSP(using SSPI,
AcceptSecurityContext() api etc..) authentication will work with a IE
client performing NTLM authentication?

Thanks,
Andy
.



Relevant Pages

  • Re: Using NTLM/SSPI with custom username/password scheme
    ... tickets, complex key management, and a trusted ticket-granting server. ... you can easily do an simplistic NTLM-style authentication. ... The server creates a challenge for the client and sends it back (random ... If you still want to use SSPI, you're going to have to create an unmanaged ...
    (microsoft.public.dotnet.security)
  • Re: authenticating remote peer question
    ... InitializeSecurityContext - you get data to send to the server ... AcceptSecurityContext - you may get data to return to the client ... Microsoft MVP, MCSD ... I have a service which accepts executables send by remote machine and ...
    (microsoft.public.win32.programmer.networks)
  • Re: Authenticating NT Credentials in C#
    ... ability of MS LDAP to do SSPI for authentication. ... to find an LDAP server to connect to, but that can usually be located via ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.security)
  • Re: NTLMSSP - Conversation
    ... SSPI is the best choice. ... The entire authentication is treated as a regular BLOB ... know the protocol of the server itself. ... > challenge back from the Exchange server. ...
    (microsoft.public.dotnet.security)
  • Does both authentication parties say SEC_E_OK?
    ... is a bit vague on InitializeSecurityContext and AcceptSecurityContext ... Does both sides (client and server) end with SEC_E_OK until ... I send the generated token to client. ...
    (microsoft.public.platformsdk.security)