NLA Unicode Support #2
Comments
|
For the record: The uppercasing only applies to the old LM passwords that for some reason is included as an insecure fallback in NTLM. AFAICS the LM password is never used with NLA. It would be nice to have full support for the protocol, but it seems like it doesn't matter, never will be used, and can't be verified against MS servers. |
|
Actually, I did provide an LM implementation, but after I got NLA working I realized I could simply zero out the LmChallengeResponse. I don't think that we would encounter a server requiring a valid LmChallengeReponse, so I could just get rid of the LM authentication code completely, and just keep NTLMv2. |
|
@KILLERIX: uppercasing also happens in NTLMv2, not just LM. |
|
On 03/16/2011 06:34 PM, awakecoding wrote:
Ok, yes, I was only referring to uppercasing of passwords. Do unicode usernames (and domains) generally work ok - also with NLA? I |
|
Ok, regarding what gets uppercased, I looked back at the source code, and only the username is uppercased, not the password. This means that unicode passwords should work properly, but not unicode usernames with non US ASCII characters. |
|
And does Microsoft client properly handle it? |
|
Yes it does, Microsoft has its own Unicode conversion API: http://msdn.microsoft.com/en-us/library/ff563005/ Wine apparently has its own implementation for it |
Network Level Authentication, unlike the older authentication mechanism, has an extra challenge when it comes to unicode support: the username and passwords must be uppercased in unicode. Even though the current development sources will correctly use iconv for the unicode conversion, there is no mechanism to properly uppercase unicode characters. Since this is required in order to compute the correct NTLMv2 response, authentication fails.
In order to complete NLA unicode support, proper unicode uppercasing must be implemented, and that is definitely not as trivial as doing US ASCII uppercasing.
The text was updated successfully, but these errors were encountered: