0

I am deploying an application on Windows 8.1 which has SSO enabled (uses NTLM). There are two examples: good and bad. The only difference that has been determined between the two is that in a failure scenario, the wireshark trace show that NTLM negotation is wrapped up by the GSS-API Generic API.

In case of good login (again on Windows 8.1) there are no GSS-API messages. It has simple NTLM Secure Service Provider message (no GSS-API).

Additionally, in a bad trace i have also seen the INITIATOR_NEGO and INITIATOR_META_DATA.

Both these cases and login happen with same Os (8.1), same client application. In order to determine if this is application problem, i want to find a way in which i can make the bad login scenario test without the GSS-API wrapper. But i cannot find a way to disable it on the OS.

There should be one i believe, because two same OS, one uses GSS-API one does not. Anyone can help me with this and share ideas? Failed Login:

Failed Login trace

Successful Login trace

A J
  • 1
  • 1
  • Why do you thing this is NegoEx? It looks like SPNEGO where Kerberos does not work. – Michael-O Apr 18 '16 at 08:11
  • Hi Michael, i might be wrong. This was really new to me and you might be right that it is not NegoEx. However, my application does not use Kerberos so not sure if its related to KRB? This app uses NTLM authentication. – A J Apr 18 '16 at 12:51
  • What GSS-API implementation do you use MIT Kerberos or Heimdal because only Heimdal supports NTLM. Does client and server run on the same machine? – Michael-O Apr 18 '16 at 14:07
  • Hi Michael, The client runs on windows 8 PC, so i am not sure how to answer the question about which GSS-API implementation is used. The clients are on Windows 8 and connect to a different server machine. – A J Apr 19 '16 at 00:35
  • Let me rephrase my question. Does everything run in Windows? If yes, you are probably not using GSS-API but SSPI. Rerun Wireshark and filter for `kerberos`. – Michael-O Apr 19 '16 at 08:41
  • Hi Michael,Yes, everything runs on Windows in my environment. So i akm using SSPI. So perhaps can that be disabled on windows? – A J Apr 22 '16 at 03:18
  • SSPI cannot be disabled and it does not make any sense to to so. Do service app and client app run on the same machine? – Michael-O Apr 22 '16 at 07:58
  • Hi Micheal, no the server in Windows 2008 while client are running Windows 8/8.1 – A J May 05 '16 at 03:20
  • please provide screenshots of wireshark captures. It makes really hard to understand the problem. – Michael-O May 06 '16 at 18:10

0 Answers0