3.2.5.3 Receiving an SMB_COM_SESSION_SETUP_ANDX Response

  • Article

If the Status field of the response does not contain STATUS_SUCCESS, the client MUST propagate the error to the application that initiated the authentication. The connection MUST remain open for the client to attempt another authentication.

If the Status field of the response contains STATUS_SUCCESS, then authentication was successful, and a new Client.Session MUST be initialized and stored in Client.Connection.SessionTable.

The client MUST retain the UID returned in the SMB Header (section 2.2.3.1) of the response in Client.Session.SessionUID. The client MUST also set the value of the Client.Session.SessionKey based upon the SMB_SETUP_USE_LANMAN_KEY (0x02) bit of the Action field in the SMB_COM_SESSION_SETUP_ANDX response. If the bit is set, and if LM challenge/response was used instead of LMv2 challenge/response, the server indicates that LM challenge/response succeeded and the LM Session Key MUST be used to set Client.Session.SessionKey. If the bit is clear or if the LMv2 response was sent, the NT Session Key MUST be used to set Client.Session.SessionKey. If the LM Session Key or NT Session Key is equal to or greater than 16 bytes, only the least significant 16 bytes MUST be stored in Client.Session.SessionKey. Otherwise, the session key MUST be stored in Client.Session.SessionKey and MUST be padded with zeros up to 16 bytes.

Activating Signing

If authentication has just completed successfully, Client.Connection.IsSigningActive is FALSE, and the targeted behavior for this connection is Signed based on the description in section 3.2.4.2.4, then the client MUST determine whether signing needs to be activated. This is done by determining the user's security context that completed authentication:

  • If the user authenticated as a guest (the SMB_SETUP_GUEST flag is set in the Action field of the SMB_COM_SESSION_SETUP_ANDX response) or is anonymous (did not provide credentials), signing MUST NOT be activated.

  • If the user authenticated as a regular user, the client MUST activate signing. If Client.Connection.SigningSessionKey is Empty:

    • The client MUST copy the entire cryptographic session key obtained from authentication subsystem, as specified in [MS-NLMP], and store it as Client.Connection.SigningSessionKey. If the length of Client.Connection.SigningSessionKey is less than 16, the client SHOULD pad it with zeros up to 16 bytes.

    • The value of Client.Connection.SigningChallengeResponse MUST be set based upon the SMB_SETUP_USE_LANMAN_KEY (0x02) bit of the Action field in the SMB_COM_SESSION_SETUP_ANDX response sent from the server to the client. If the bit is set, the server indicates that the LM or LMv2 challenge/response succeeded and the challenge response sent in the OEMPassword field MUST be used. Otherwise, the challenge response sent in the UnicodePassword field MUST be used.

Once these steps are done, the client MUST verify the signature of this response. The client follows the steps specified in section 3.1.5.1, passing in a sequence number of 1 because this is the first signed packet.