> > This is fairly useful, but contains several inaccuracies (especially
> > concerning the NTLM flags). I have done a write up on NTLM for a
> > project I am involved with:
> >
> > http://davenport.sourceforge.net/ntlm.html
>
> Thanks a lot!
>
> We should go over the current code and make it more accurate using your
> excellent information page. For now, it seems to work on the test pages
> we've setup.
>
> Again, thanks for letting us know!
>

No problem. You probably won't see too many problems with what you have, being
a client; the client has the advantage of initiating the negotiation, which
gives greater control over the selected options. A couple of items that might
be a good starting point to look at:

1) The type-1 message currently uses the flags 0x0000b203. This means
    0x00000001 Support Unicode
    0x00000002 Support OEM (more-or-less ASCII)
    0x00000200 Use NTLM authentication (always set)
    0x00001000 Supplying OEM domain name
    0x00002000 Supplying OEM workstation name
    0x00008000 Always sign

You could simplify things by noting that:

    a) You can force OEM by leaving out the Unicode flag. Almost all servers
support Unicode, so if you specify both Unicode will typically be selected by
the server. If you don't have Unicode tools available forcing OEM is typically
easier to deal with.

    b) You don't have to supply the workstation and domain name (this is only
used during single-sign on, to determine if the client and server are the same
box).

    c) You don't have to specify Always sign (HTTP only uses NTLM for
authentication, not message integrity/confidentiality).

This leaves you with 0x00000202 for the flags. This further simplifies things
because you can send an empty domain/workstation name, which makes the entire
type 1 message a constant. You would use the same flags in the type 3
message; in fact, you could probably get away with using the Win9x-style type
3 message (which leaves off the session key and flags altogether).

2) You don't *have* to send both the LM and the NTLM responses; either one by
itself is feasible. In fact, using just the NTLM response is more secure
(LM is fairly easy to crack). However, without the LM response you won't be
able to connect to Win9x-based servers (typically "Personal Web Server",
although there aren't too many of those left anymore). Some implementations
(notably Jakarta's HttpClient and Win9x browsers) just send the LM response
with an NT response of length 0. See:

http://support.microsoft.com/default.aspx?scid=KB;en-us;239869

for a discussion of the registry settings that affect interoperability related
to this.

Eric

-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Received on 2003-06-24