Why Windows SMB client ignores supported auth mechanisms in Negotiate Response?

Lilia 60 Reputation points
2024-04-02T13:51:56.3166667+00:00

Scenario: SMB311 Server lists NTLM as the only supported auth mechanism in Negotiate response. Windows client ignores the fact and obtains the TGS for cifs/FQDN of the server and uses Kerberos authentication in Session Setup.
Error codes such as STATUS_NOT_SUPPORTED or STATUS_INVALID_PARAMETER do not cause Windows client to fall back to NTLM.
Note that deleting server's SPN for cifs/FQDN solves the issue.
But why Windows client ignores supported auth mechanism in Negotiate Response?

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
42 questions
{count} votes

Accepted answer
  1. Sreekanth Nadendla 411 Reputation points Microsoft Employee
    2024-05-06T13:47:22.09+00:00

    As documented in MS-SMB2 section 3.2.4.2.3, windows client ignores the Token received from the Server and starts with Kerberos.

    MS-SPNG will also be updated accordingly.

    MS-AUTHSOD section “3.3.2 Using the NTLM Protocol [MS-NLMP]” also mentioned that Kerberos will be tried first:

    “This example describes using NTLM Protocol [MS-NLMP] to obtain client authentication to connect to an Server Message Block (SMB2) share. When Kerberos authentication fails or is not configured, the Authentication Client tries the NTLM protocol as the next preferred authentication protocol to prove the identity of the SMB2 client to the SMB2 server. This example describes the interactions between the SMB2 client and the SMB2 server when Kerberos is not configured or is unavailable.”

    Regards,

    Sreekanth Nadendla

    Microsoft Windows Open Specifications

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.