Win_sspi plugin uses NTLM

[milk37]

AuthSspi.cpp makes a call to AcquireCredentialsHandle in the ctor of class AuthSspi (line 112) with the security package hard-coded as "NTLM".

Consider changing this to "Negotiate" to allow Kerberos to be tried initially, falling back to NTLM if Kerberos is not available.

Also note that MS is looking to disabling NTLM in Windows 11 in the future, for info:
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848

[hvlad]

Reopened due to failed QA test for #6204

[hvlad]

Must note that this change introduced incompatibility between "Negotiate" client and "NTLM" server.
AcceptSecurityContext() within "NTLM" server returns SEC_E_INVALID_TOKEN when handling data from "Negotiate" client.
Other direction ("Negotiate" server and "NTLM" client) works OK.

[hvlad]

This is documented restriction, see
https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate:

A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.