cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Domain Join - "Use DC name from NTLM Handshake"

We have some conjecture in our group regarding selecting the "Use DC name from NTLM Handshake" when domain joining our MWG. What is the effect of selecting or not selecting this option.
3 Replies

Re: Domain Join - "Use DC name from NTLM Handshake"

Hi,

 

Hope you are doing well.

 

 

During MWG and  AD server communication,   DC server sends an Session Setup Response as below:-

 

Internet Protocol Version 4, Src: 1.1.1.1, Dst: 1.1.1.2

Transmission Control Protocol, Src Port: 445, Dst Port: 21003, Seq: 253, Ack: 284, Len: 287

NetBIOS Session Service

SMB2 (Server Message Block Protocol version 2)

    SMB2 Header

        Server Component: SMB2

        Header Length: 64

        Credit Charge: 1

        NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016)

        Command: Session Setup (1)

        Credits granted: 32

        Flags: 0x00000001, Response

        Chain Offset: 0x00000000

        Message ID: 1

        Process Id: 0x0000feff

        Tree Id: 0x00000000

        Session Id: 0x0000502214000061 Acct:MWG-Rep$ Domain:abc.com Host:

        Signature: 00000000000000000000000000000000

        [Response to: 69]

        [Time from request: 0.000243000 seconds]

    Session Setup Response (0x01)

        StructureSize: 0x0009

        Session Flags: 0x0000

        Security Blob: a181d03081cda0030a0101a10c060a2b0601040182370202...

            Offset: 0x00000048

            Length: 211

            GSS-API Generic Security Service Application Program Interface

                Simple Protected Negotiation

                    negTokenTarg

                        negResult: accept-incomplete (1)

                        supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

                        responseToken: 4e544c4d53535000020000000a000a0038000000158289e2...

                        NTLM Secure Service Provider

                            NTLMSSP identifier: NTLMSSP

                            NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)

                            Target Name: FLASH

                            Negotiate Flags: 0xe2898215, Negotiate 56, Negotiate Key Exchange, Negotiate 128, Negotiate Version, Negotiate Target Info, Negotiate Extended Security, Target Type Domain, Negotiate Always Sign, Negotiate NTLM key, Negotiate Sign, Request

                            NTLM Server Challenge: 62f93a0f7f51a694

                            Reserved: 0000000000000000

                            Target Info

                                Length: 114

                                Maxlen: 114

                                Offset: 66

                                Attribute: NetBIOS domain name: abc

                                Attribute: NetBIOS computer name: DCU

                                Attribute: DNS domain name: abc.com

                                Attribute: DNS computer name: DCU.abc.com

                                Attribute: DNS tree name: abc.com

                                Attribute: Timestamp

                                Attribute: End of list

                            Version 6.3 (Build 9600); NTLM Current Revision 15

 

 

 

 

DC server gives  Attribute: DNS computer name: DCU.abc.com.    MWG uses  value of "dns computer name" attribute  if option Use DC Name from NTLM handshake  is enabled.

 

 

MWG sends NetrServerReqChallenge   request using RPC_NETLOGON protocol as per below:-

 

Frame 104: 280 bytes on wire (2240 bits), 280 bytes captured (2240 bits)

Linux cooked capture

Internet Protocol Version 4, Src: 1.1.1.2, Dst: 1.1.1.1a

Transmission Control Protocol, Src Port: 21003, Dst Port: 445, Seq: 2761, Ack: 2557, Len: 212

NetBIOS Session Service

SMB2 (Server Message Block Protocol version 2)

    SMB2 Header

        Server Component: SMB2

        Header Length: 64

        Credit Charge: 1

        Channel Sequence: 0

        Reserved: 0000

        Command: Ioctl (11)

        Credits requested: 1

        Flags: 0x00000008, Signing

        Chain Offset: 0x00000000

        Message ID: 17

        Process Id: 0x0000feff

        Tree Id: 0x00000001  \\dcu.abc.com\IPC$

        Session Id: 0x0000502214000061 Acct:MWG-Rep$ Domain:abc.com Host:

        Signature: 9f335d8ce16fecbadaf2c90d13a32b0e

        [Response in: 105]

    Ioctl Request (0x0b)

        StructureSize: 0x0039

        Function: FSCTL_PIPE_TRANSCEIVE (0x0011c017)

        GUID handle File: NETLOGON

        Max Ioctl In Size: 0

        Max Ioctl Out Size: 61440

        Flags: 0x00000001

        Out Data: NO DATA

            Offset: 0x00000000

            Length: 0

        In Data

            Offset: 0x00000078

            Length: 88

Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 88, Call: 7, Ctx: 0, [Resp: #105]

    Version: 5

    Version (minor): 0

    Packet type: Request (0)

    Packet Flags: 0x03

    Data Representation: 10000000 (Order: Little-endian, Char: ASCII, Float: IEEE)

        Byte order: Little-endian (1)

        Character: ASCII (0)

        Floating-point: IEEE (0)

    Frag Length: 88

    Auth Length: 0

    Call ID: 7

    Alloc hint: 0

    Context ID: 0

    Opnum: 4

 

 

Tree Id: 0x00000001  \\dcu.abc.com\IPC$   is the one wherein MWG sends FQDN of DC server.

Re: Domain Join - "Use DC name from NTLM Handshake"

In many environments it is not possible to find/configure a correct Windows Domain Controller (DC) name needed to establish SMB connection to DC. MWG fails to setup a connection to a DC if wrong DC name used. Using DC name that was provided by DC during session negotiation reduces risk of authentication failures.

 

It happens quite often that people cannot correctly configure DC names in MWG when joining a Windows domain. Common scenarios are:

  • People use IP addresses instead of DC names, reverse DNS lookup fails
  • People uses an alias instead of primary DC name
  • People have a load balancer in front of his DCs

 

 

DC rejects session authentication request from MWG if MWG uses wrong DC name. MWG fails to setup SMB connection and fails to authenticate users.

Let’s assume that people have  entered 1.1.1.1 (valid load balancer IP address) as DC name.

 

Problem scenario (checkbox is deactivated)

Source

Destination

Comment

MWG

DC (1.1.1.1)

Open SMB session

DC

MWG

Accepted, DC name: dc2.int.company.com

MWG

DNS

Reverse lookup 1.1.1.1

DNS

MWG

FQDN dc-load.int.company.com

MWG

DC

Open RPC connection to dc-load.int.company.com

DC

MWG

Error: STATUS_INVALID_COMPUTER_NAME

Optimized scenario (checkbox is activated)

Source

Destination

Comment

MWG

DC (1.1.1.1)

Open SMB session

DC

MWG

Accepted, DC name: dc2.int.company.com

MWG

DC

Open RPC connection to dc2.int.company.com

DC

MWG

OK

Activate checkbox “Use DC Name from NTLM handshake” when joining a domain or editing domain membership. Edit domain setup and deactivate checkbox to restore previous behavior.

Re: Domain Join - "Use DC name from NTLM Handshake"

Thankyou for your prompt and detailed response @alok_sarda 
It has helped us resolve some domain join issues as we could not find a mention of this option in any of the MWG manuals/setup instructions.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community