Comments (4)

  1. MrBIGmog says:

    "But if the authentication is coming from a third party device, it is possible that the field will be empty or contain an arbitrarily set value. We will deal with those in a further post."

    Was this additional post ever made?

    1. It is drafted... Do you have the case? Mind sharing your input? We could co-write 🙂

  2. shovey says:

    “But if the authentication is coming from a third party device, it is possible that the field will be empty or contain an arbitrarily set value. We will deal with those in a further post.”

    It is drafted… Do you have the case?

    Did you ever get a case? I opened a ticket once but they couldn't resolve it.

    1. For SMB for example, according to [MS-SRVS]: Server Service Remote Protocol https://msdn.microsoft.com/en-us/library/cc247080.aspx the client will provide the info to the server about its name (to built a session structure). This has to be either NULL or a string starting with \\. But really the client has the discretion on this. Samba clients for example have a parameter to override the smb.conf (see –netbiosname in https://www.samba.org/samba/docs/man/manpages-3/smbclient.1.html). And the DC just validate the credentials (event 4776), it just has access to whatever the NTLM security provider has access to, and in the NTLM pass-through process, the IP address of the client doesn’t seem to be a part of what the DC has available. I do not have any case I could build upon… I write my post based on what I get on my plate 🙂 If you have more info, feel free to email me, I’ll have a look at it and see if we can build something on it.)

Skip to main content