Closed milk37 closed 1 month ago
Reopened due to failed QA test for #6204
Must note that this change introduced incompatibility between "Negotiate" client and "NTLM" server. AcceptSecurityContext() within "NTLM" server returns SEC_E_INVALID_TOKEN when handling data from "Negotiate" client. Other direction ("Negotiate" server and "NTLM" client) works OK.
This is documented restriction, see https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate:
A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.
This ticket will never be closed ;) Re-open due to found problem when WireCrypt is disabled on server
AuthSspi.cpp makes a call to AcquireCredentialsHandle in the ctor of class AuthSspi (line 112) with the security package hard-coded as "NTLM".
Consider changing this to "Negotiate" to allow Kerberos to be tried initially, falling back to NTLM if Kerberos is not available.
Also note that MS is looking to disabling NTLM in Windows 11 in the future, for info: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848