Re: Challenge in NTLM authenticator

From: Henrik Nordstrom <>
Date: Mon, 22 Apr 2002 22:41:49 +0200

Robert Collins wrote:

> I'm saying that the NTLM SSP -happens- to be the on the wire format. MS
> have no reason to keep it that way, and that we are better off keeping
> the two level abstraction we have, whilst still leveraging the SSPI to
> allow user authentication.

NTLMSSP is the wire format if your ask for the NTLM SSP via SSPI.

If you ask for another SSP such as SPNEGO or Kerberos then the wire format is
obviously different.

Microsoft cannot change these without breaking the NTLM SSP compability
between versions, and in the unlikely event if they do the NTLMSSP used by MS
IE is very likely to change as well.

The NTLM SSP quite obviously knows all of NTLMSSP, such as NTLMv2 etc..

The wire format provided by the NT NTLMSSP has in my opinion a by far higher
probability to say compatible with the NTLMSSP wire format used by browsers
than any reverse engineered version.

Note: I assume you are aware that the "NTLMSSP" helper in Squid only
implements LANMAN authentication, not even NTLMv1, and only a tiny fraction
of all the NTLMSSP options..

Received on Mon Apr 22 2002 - 14:42:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:18 MST