[Cvsnt] Kerberos: gserver and SSPI

Brian Smith brian-l-smith at uiowa.edu
Fri Apr 12 20:00:29 BST 2002 

Francis Irving wrote:
> Thanks for the detailed reply Brian.  I do have a few more questions
> still.

> - SSPI first tries to use Kerberos, otherwise it uses NTLM.  Am I
> right that this is Windows doing this?  If later on Microsoft add some
> other security protocols, it would automatically use those, if the
> SSPI API does?

Well, what actually happens is this:
     Windows 2000/XP client: I understand NTLM and
                             the Windows negotiation protocol
     Windows 2000/XP Server: Okay, then let's use the Windows
or                          negotiation protocol
     Windows NT4 Server:     Okay, let's use the NTLM protocol
     <authentication>

     Windows 95/98/NT4 client: I understand NTLM
     Windows 2000/XP Server:   Well, we have to use NTLM then don't
or                            we?
     Windows NT4 Server:       Good, because I only understand NTLM
                               anyway.
     <authentication>

So, the answer is "yes", but only if the client and server are both
running Windows 2000/XP. If either the client or the server is not
Windows 2000/XP then NTLM (version 1, I believe) is used. Kerberos will
be picked first because the Windows built-in negotiation mechanism will
choose Kerberos over NTLM.

> - Is there a user-level term for "SSPI"?  That seems to be more than
> API that you use to talk to Windows.  Just describing it as "Windows
> authentication (:sspi:)" might be reasonable.

Sure. You might say "Windows Authentication (TCP/IP)" to distinguish it
from "Windows Authentication (Named Pipes)".

> - How does SSPI relate to :ntserver:?  Which is more secure, is
> ntserver being deprecated?

Tony would be better at answering these questions because I don't know
anything about named pipes.

> - Can SSPI connect to a Unix CVS server?  (With Samba?)

Not currently. I suppose that it could be implemented since Unix can do
NTLM and Kerberos. But the Windows 2000/XP authentication negotiation
protocol is proporietary as far as I know.

- Brian

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list