NTLM authentication from Windows 7 to WinCE 3.0
I have the following problem. I would like to connect from a Windows 7 PC with the IE8 to a WinCE 3.0 web server.
Some pages on this web application are password protected. When I try to connect to this pages, the NTLM authentication always ends with an error.
When I check the data transfer on the ethernet I see, that the last HTTP request with the NTLM_AUTH message returns with a "HTTP/1.0 401 Unauthorized" message.
On Windows 7 I changed the following network security settings:
Network security: LAN Manager authentication level
Send LM & NTLM - use NTLMv2 session security if negotiated
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Disable 128-bit encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Disable 128-bit encryption
Network security: Allow Local System to use computer identity for NTLM
Activeted
Network security: Do not store LAN Manager hash value on next password change Deactivated
Does someone has information about this behaviour?
Beat
November 12th, 2010 2:58am
Hi,
I notice that you said”
NTLM authentication always ends with an error”. Please provide the error message for us.
To confirm what the source is, please test the issue on another Windows 7.
Meanwhile, I would like to share the following article with you:
A high level overview of Windows CE
Web Server authentication
Also, I suggest you check the related settings of WinCE:
Microsoft Windows CE 3.0 Web Server
Hope it helps.
Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 5:56am
Hello Alex
At first, the configuration of the WinCE 3.0 WEB server is correct, because it works with Windows XP or Windows Vista computers.
The Web server use the local CE account database and the user and the password are set with the function NTLMSetUserInfo()!
I tested it with two Windows 7 computers without success.
About the error messeage:
I will show you the order of the HTTP telegrams on the network with Windows 7:
- HTTP: GET .... with NTLMSSP data: NTLM Message Type:NTLM_NEGOTIATE
- HTTP: HTTP/1.0 401 Unauthorized with NTLMSSP data: NTLM Message Type:NTLM_CHALLANGE
- HTTP: GET .... with NTLMSSP data: NTLM Message Type:NTLM_AUTH (User name, Lan Manager
Response, NTLM Response, ...)
- HTTP: HTTP/1.0 401 Unauthorized without NTLMSSP
The similar HTTP telegrams I found with the Windows XP:
- HTTP: GET .... with NTLMSSP data: NTLM Message Type:NTLM_NEGOTIATE
- HTTP: HTTP/1.0 401 Unauthorized with NTLMSSP data: NTLM Message Type:NTLM_CHALLANGE
- HTTP: GET .... with NTLMSSP data: NTLM Message Type:NTLM_AUTH (User name, Lan Manager
Response, NTLM Response, ...)
- HTTP: HTTP/1.0 304 Not Modified
When I compare the data in the NTLM_AUTH telegram I see 3 differences:
1. The version number in the NTLMSSP data packet are differnet:
Windows 7 : 0601B01D
Windows XP: 0501280A
2. The offset value for the EncryptedRandomSessionKeyFields shows on different points:
Windows 7 : EncryptedRandomSessionKeyLen = 0000
EncryptedRandomSessionKeyMaxLen = 0000
EncryptedRandomSessionKeyBufferOffset = A2000000
The maximum length of the NTLMSSP data packet is only 0xA2 -> at EncryptedRandomSessionKeyBufferOffset there is no value!!!!
Windows XP: EncryptedRandomSessionKeyLen = 0000
EncryptedRandomSessionKeyMaxLen = 0000
EncryptedRandomSessionKeyBufferOffset = 92000000
The maximum length of the NTLMSSP data packet is only 0x93 -> at EncryptedRandomSessionKeyBufferOffset there is zero value for
the empty string!!!!
3. The MIC value is not set in the Windows XP telegram. That is the reason why the the telegram size is 16 byte smaller.
I found the information about the NTLMSSP telegram in the document:
[MS-NLMP] — v20101001
NT LAN Manager (NTLM) Authentication Protocol Specification
I hope these are enough informations to detect the reason for my problem.
Beat
November 17th, 2010 5:48am
Hello together
I got an answer from "Microsoft Customer Service and Support" about this problem. There is no solution!! Windows CE 3.0 has a problem with the NTLM authentication with Windows Vista and Windows 7.
In the newer Windows CE versions (5.0, 6.0), this problem is solved.
Kind regards
Beat
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2010 3:42am