Last modified 9 months ago Last modified on 06/03/16 14:39:19

What is it ?

GSS-NTLMSSP is a GSSAPI mechanism plugin that implements NTLMSSP. NTLMSSP is a Microsoft Security Provider that implements various versions and falvors of the NTLM challenge-response family.

GSS-NTLMSSP, implements both NTLM and NTLMv2 and all the various security variants to the key exchange that Microsoft introduced and documented over time.

This code implements the NTLMSSP mechanism as a GSSAPI loadable mechanism and has been tested to work with MIT Kerberos' 1.11 implementation of GSSAPI.


GSS-NTLMSSP implements fully all the mechanisms and crypto needed for both a client and a server process. As a client all it needs is a credential file defined via an environment variable or a Winbind process through which the user has previously authenticated. As a server it currently support standalone mode (also via credential file) or Domain Member mode via Winbind integration.


Due to the difference between how the Krb5 and NTLM challenge-response mechanisms work, not all software using GSSAPI successfully works yet.

SIPE 1.18.x will be GSS-NTLMSSP compatible and in the process many bugs have been fixed on all sides. Many thanks to Stefan Becker and David Woodhouse for the collaboration and making this possible.

Firefox (multiple versions) has been tested and seem to work without issues.

Curl instead seem to assume that the GSSAPI conversation will always be completed in one roundtrip so it fails to work with GSS-NTLMSSP as the NTLM challenge-response protocol requires 2 or more roundtrips unlike the Krb5 mechanism. (Fixed in curl git as of 2014-07-16 just after the 7.37.1 release, and will be in the next release).

Cyrus-sasl's GSS-SPNEGO support is equally broken with GSS-NTLMSSP, the actual authentication works fine, but then it fails to correctly negotiate the SASL SSF properties due again to the incorrect assumption that the authentication negotiation always terminates with the last message being sent from the server to the client. In NTLMSSP usually the last message is from the client back to the server.


Latest Release:

See Releases page for more details.