Information about the  SSPI Authentication handshake as applied to NTLM can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcesecurity5/html/wce50conNTLMSecuritySupportProvider.asp

 

The are 2 styles of NTLM authentication.

Connection Authentication (ISC_REQ_CONNECTION) – This is a 3 way handshake where the challenge is initiated by the client

  • The client and the server call AcquireCredentialsHandle to find out the capabilities of the security layer
  •  The client then calls InitializeSecurityContext which generates the Type1 NTLM message
  • The client sends out this Type1 message to the server
  • The server calls AcceptSecurityContext and generates the Type 2 NTLM message which it sends out to the client
  •  The client receives the Type 2 message from the server and calls InitializeSecurityContext again passing the Type 2 message to the API. This generates the Type 3 NTLM message
  •  Type 3 message is then sent to the server by the client. If all the messages are correct, the authentication succeeds

Datagram Authentication (ISC_REQ_DATAGRAM) – The callenge is initiated by the server. There is NO Type 1 message generated in this type

  • The client and the server call AcquireCredentialsHandle to find out the capabilities of the security layer
  • The client sends out an empty buffer to the server
  •  The server calls AcceptSecurityContext and generates the Type 2 NTLM message which it sends out to the client
  •  The client receives the Type 2 message from the server and calls InitializeSecurityContext again passing the Type 2 message to the API. This generates the Type 3 NTLM message
  •  Type 3 message is then sent to the server by the client. If all the messages are correct, the authentication succeeds

 

The security layer on Pocket PC 2003 supports NTLM but DOES NOT SUPPORT DATAGRAM style. This may be confusing for the developers as the InitializeSecurityContext may not return error when the Type2  is passed to it with the DATAGRAM flag. It returns a buffer back which the server fails to authenticate when sent to it.  

 

Issues with LCS2005 NTLM

Some things to keep in mind when you are trying to make your SIP client authenticate with LCS 2005 using NTLM are

  1. LCS 2005 expects a NTLM DATAGRAM type of authentication which means that if you are trying to host this client on PocketPC 2003 , you must have your own custom implementation for NTLM DATAGRAM style
  2. Always use a sequence number of 100 when you make signature or verify signature for LCS 2005 SIP messages.

Disclaimer : This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm