Re: Windows NTLM authenticator

From: Serassio Guido <>
Date: Mon, 08 Sep 2003 10:43:27 +0200

Hi Henrik,

At 09.13 08/09/2003, Henrik Nordstrom wrote:

>On Sun, 7 Sep 2003, Serassio Guido wrote:
> > I have tried too this solution, but the things seems to more instable.
>In what way?

Very high rate of random authentication pop-ups.

> > I have some doubt about challenge's reuse: with this type authenticator,
> > challenge can be reused ?
>The challenge packet should never be reused, but if you have clients which
>are guaranteed to be compatible then it may work for NTLM if you are

As in the other message to Robert:

It seems that in Squid there is a problem:
I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I get a KK
without a YR, so the helper sends a BH to squid and Internet Explorer
pop-ups for authentication.

>In NTLMv2 the challenge packet can not be reused at all.
> > Another question: it works fine with Mozilla's NTLM and with IE when the
> > machine is in the right domain, when the machine is in another domain, IE
> > pop-up randomly asking username/password/domain again.
>No idea.
> > So, if possible, do you can give a look to the sources to see if there
> > anything missing ?
>I can try, but I am very buzy with other tasks at the moment.
>Robert or Kinkie: Do you have any possibility to look into this?
>To make such verification easier, please collect the following pieces of
>1. access.log with log_mime_hdrs
>2. traffic to/from the helper, identified by helper instance
>3. calls & responses from the Windows SSP module, identified by helper

OK, i will collect some transation logs, currently I have tested it with NT
4, 2000 and 2003 clients.

I have added to the helper an hex dump capability to dump in hex format the
NTLM packets in the log, this is very useful to check what happens.



Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Received on Mon Sep 08 2003 - 02:46:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST