Server: NetApp Ontap 9.3 Server
Protocol: SMB2
Command: SMB2 Session Setup
We are seeing an issue with Netapp Ontap 9.3 server's Session Setup Response when using Kerberos Authentication, in the AP-REP response token, it is sending a duplicate SPNEGO Response token in the mechListMIC field instead of sending the MIC signature. Please refer the left side pane of the attached image for the buggy packet Vs right side for the correct one.
As a result, clients trying to parse and do MIC-verification will fail it as a defective token.
A similar issue was also seen with Windows 2000 Server.
https://krbdev.mit.edu/rt/Ticket/Display.html?id=6726
So looks like NetApp also has to fix this.
The heimdal gssapi has provided a way to work around (and skip MIC Verification) by safely omiting this buggy spnego token, but the server has to send a OID flag "BUGGY SPNEGO" for clients to safe-omit this mic-verification.
Refer github diff at
https://github.com/heimdal/heimdal/pull/668/commits/8db8a2137632624aed05bf6100e9033e2c6cc0d0
File name: lib/gssapi/spnego/init_sec_context.c
Look for the comment lines below:
/* ...unless its a windows 2000 server that sends the
* responseToken inside the mechListMIC too. We only
* accept this condition if would have been safe to omit
* anyway. */