Re: Updates on Squid Negotiate status

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 13 Nov 2005 09:29:47 +0100 (CET)

On Sat, 12 Nov 2005, Andrew Bartlett wrote:

> Some day I'll figure out how this fits into the windows SamLogon system.
> I'm told it does, but I just don't know how...

For one it's a different SSP, and completely different authentication
mechanism.

It also seems that the mechanism used may differ between 2000 and 2003.
Remember seeing some significant differences in "client server"
requirements which made me suspect they had significantly redone things,
but I do not remember in detail now. But I remember having the reaction
that I felt they had probably extracted the plaintext password in earlier
versions and now switched to using Digest to the DC to protect the users
password.

Ideally Digest is integrated using Digest MD5-sess over a trusted channel
returning the MD5-sess HA1 hash together with the successful response
allowing the "client server" to process authentication directly for the
rest of the session (until the server nonce expires). Even more preferred
also taking the server nonce (similar to a challenge) as input similar to
what is done for NTLM verification in SamLogin. But given the small detail
that MSIE does not support MD5-sess or even nonce reuse I somehow doubt
they support any of this effectively..

Regards
Henrik
Received on Sun Nov 13 2005 - 01:29:56 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:15 MST