Hi Adrian, thanks for the answer so far.
What I got from MS about NTLM / NTLM2 is the following (Q239869):
<-- snip -->
For reference, the full range of values for the LMCompatibilityLevel value that are supported by Windows NT 4.0 and Windows 2000 include:
* Level 0 - Send LM and NTLM response; never use NTLM 2 session
security. Clients use LM and NTLM authentication, and never use
NTLM 2 session security; domain controllers accept LM, NTLM, and
NTLM 2 authentication.
* Level 1 - Use NTLM 2 session security if negotiated. Clients use
LM and NTLM authentication, and use NTLM 2 session security if the
server supports it; domain controllers accept LM, NTLM, and NTLM 2
authentication.
* Level 2 - Send NTLM response only. Clients use only NTLM
authentication, and use NTLM 2 session security if the server
supports it; domain controllers accept LM, NTLM, and NTLM 2
authentication.
* Level 3 - Send NTLM 2 response only. Clients use NTLM 2
authentication, and use NTLM 2 session security if the server
supports it; domain controllers accept LM, NTLM, and NTLM 2
authentication.
* Level 4 - Domain controllers refuse LM responses. Clients use NTLM
authentication, and use NTLM 2 session security if the server
supports it; domain controllers refuse LM authentication (that is,
they accept NTLM and NTLM 2).
* Level 5 - Domain controllers refuse LM and NTLM responses (accept
only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2
session security if the server supports it; domain controllers
refuse NTLM and LM authentication (they accept only NTLM 2).A client computer can only use one protocol in talking to all servers. You cannot configure it, for example, to use NTLM v2 to connect to Windows 2000-based servers and then to use NTLM to connect to other servers. This is by design.
>-- snip --<
It is possible to set the minimum security that is used for programs that use the NTLM Security Support Provider (SSP) by modifying a registry key. So anybody may set level 5 which does not accept NTLM but NTLMv2 only. Do you refer to that by naming Windows 2003 Server?
If so that would mean NTLMv2 is not supported by HttpClient. Correct?
Best regards, Stefan Dingfelder
Adrian Sutton schrieb:
On 20/2/04 1:56 AM, "Stefan Dingfelder" <[EMAIL PROTECTED]> wrote:
Hi all, the web side simply claims 'Authentication using Basic, Digest and the encrypting NTLM (NT Lan Manager) methods'. I could not find any information related to the implemented version of NTLM. Is it just the older one or working with NTLMv2 also?
Many thanks in advance,
Stefan Dingfelder
It's almost impossible to know what you're referring to because NTLM has never been published and actually given different names and versions. There have been quite a few changes to NTLM over time.
Initially a very insecure form of NTLM was used in windows this was later updated to remove the glaring security flaws. HttpClient uses this update.
There is a slightly different version of NTLM in nearly every version of Windows, particularly different between Windows 95/98 and Windows NT based OSs. HttpClient uses a method which should be compatible with both Win 95 and Windows NT based systems.
There was a later version of NTLM brought out with Windows 2003 Server which I have very little knowledge of but if the new encryption and signing stuff is turned on it will almost certainly not work with HttpClient.
So I guess the answer to your question is that HttpClient doesnąt use any version of NTLM, it uses it's own form that was generated by reverse engineering (performed by a number of people) and should work with all versions of Windows short of Windows 2003 Server with the fancy "lock out everything that's not a Windows 2003 Server" option turned on.
Regards,
Adrian Sutton.
---------------------------------------------- Intencha "tomorrow's technology today" Ph: 38478913 0422236329 Suite 8/29 Oatland Crescent Holland Park West 4121 Australia QLD www.intencha.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
