hvlad
commented
2 months ago Reopened due to failed QA test for #6204
Closed milk37 closed 1 month ago
hvlad
commented
2 months ago Reopened due to failed QA test for #6204
hvlad
commented
2 months ago Must note that this change introduced incompatibility between "Negotiate" client and "NTLM" server. AcceptSecurityContext() within "NTLM" server returns SEC_E_INVALID_TOKEN when handling data from "Negotiate" client. Other direction ("Negotiate" server and "NTLM" client) works OK.
hvlad
commented
2 months ago This is documented restriction, see https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate:
A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.
hvlad
commented
1 month ago This ticket will never be closed ;) Re-open due to found problem when WireCrypt is disabled on server
AuthSspi.cpp makes a call to AcquireCredentialsHandle in the ctor of class AuthSspi (line 112) with the security package hard-coded as "NTLM".
Consider changing this to "Negotiate" to allow Kerberos to be tried initially, falling back to NTLM if Kerberos is not available.
Also note that MS is looking to disabling NTLM in Windows 11 in the future, for info: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848