Export (0) Print
Expand All

4.8 Establish Alternate Channel

The following diagram demonstrates the steps taken to establish an alternate channel.

MS-SMB2

Figure 13: Establishing an alternate channel

  1. The client sends an SMB2 NEGOTIATE Request with dialect 0x300 in the Dialects array, and SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.

    SMB2: C   NEGOTIATE (0x0), ClientGUID={F62E4D0B-C685-E48B-40B6-D815CB56FF6E}
    CNegotiate: 
    StructureSize: 36 (0x24)
    DialectCount: 3 (0x3)
    SecurityMode: 1 (0x1)
    SMB2NEGOTIATESIGNINGENABLED:  (...............1) security signatures are enabled on the client.
    SMB2NEGOTIATESIGNINGREQUIRED: (..............0.) security signatures are not required by the client.
    Reserved:                     (00000000000000..) Reserved
    Reserved: 0 (0x0)
    Capabilities: 0x7F
    ClientGuid: {F62E4D0B-C685-E48B-40B6-D815CB56FF6E}
    ClientStartTime: No Time Specified (0)
    Dialects: 
    Dialects: 514 (0x202)
    Dialects: 528 (0x210)
    Dialects: 768 (0x300)
    
  2. The server receives the SMB2 NEGOTIATE Request and finds dialect 0x0300. The server responds with an SMB2 NEGOTIATE Response with dialect 0x300 in the DialectRevision, and the SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.

    SMB2: R   NEGOTIATE (0x0), ServerGUID={1B005379-8063-F0B6-4907-4957998700A1}
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: R NEGOTIATE (0x0),TID=0x0000, MID=0x0000, PID=0xFEFF, SID=0x0000
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS
    Flags: 0x1
    NextCommand: 0 (0x0)
    MessageId: 0 (0x0)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 0 (0x0)
    Signature: Binary Large Object (16 Bytes)
    RNegotiate: 
    StructureSize: 65 (0x41)
    SecurityMode: 1 (0x1)
    SMB2NEGOTIATESIGNINGENABLED:  (...............1) security signatures are enabled on the client.
    SMB2NEGOTIATESIGNINGREQUIRED: (..............0.) security signatures are not required by the client.
    Reserved:                     (00000000000000..) Reserved
    DialectRevision: (0x300) - SMB 3.0 dialect revision number.
    Reserved: 0 (0x0)
    ServerGuid: {1B005379-8063-F0B6-4907-4957998700A1}
    Capabilities: 0x7F
    MaxTransactSize: 1048576 (0x100000)
    MaxReadSize: 1048576 (0x100000)
    MaxWriteSize: 1048576 (0x100000)
    SystemTime: 05/11/2012, 06:41:20.036527 UTC
    ServerStartTime: 05/10/2012, 09:56:03.345351 UTC
    SecurityBufferOffset: 128 (0x80)
    SecurityBufferLength: 120 (0x78)
    Reserved2: 0 (0x0)
    
  3. The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.

    SMB2: C   SESSION SETUP (0x1)
    CSessionSetup: 
    StructureSize: 25 (0x19)
    Flags: 0 (0x0)
    SecurityMode: 1 (0x1)      
    Capabilities: 0x1      
    Channel: 0 (0x0)
    SecurityBufferOffset: 88 (0x58)
    SecurityBufferLength: 74 (0x4A)
    PreviousSessionId: 0 (0x0)
    securityBlob:  
    
  4. The server processes the token received with GSS and gets a return code. The GSS return code indicates that an additional exchange is required to complete the authentication. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.

    SMB2: R  - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED  SESSION SETUP (0x1), SessionFlags=0x0
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: R SESSION SETUP (0x1),TID=0x0000, MID=0x0001, PID=0xFEFF, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: 0xC0000016, Code = (22) STATUS_MORE_PROCESSING_REQUIRED, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_ERROR
    Command: SESSION SETUP (0x1)
    Credits: 1 (0x1)
    Flags: 0x1
    NextCommand: 0 (0x0)
    MessageId: 1 (0x1)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    RSessionSetup: 
    StructureSize: 9 (0x9)
    SessionFlags: 0x0
    SecurityBufferOffset: 72 (0x48)
    SecurityBufferLength: 349 (0x15D)
    
  5. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.

    SMB2: C   SESSION SETUP (0x1)
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0002, PID=0xFEFF, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    ChannelSequence: (0x0) - (SMB 3.00 and later only)
    Reserved2: 0 (0x0)
    Command: SESSION SETUP (0x1)
    Credits: 10 (0xA)
    Flags: 0x0
    NextCommand: 0 (0x0)
    MessageId: 2 (0x2)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    SMB2: C   SESSION SETUP (0x1)
    CSessionSetup: 
    StructureSize: 25 (0x19)
    Flags: 0 (0x0)
    SecurityMode: 1 (0x1)
    Capabilities: 0x1      
    Channel: 0 (0x0)
    SecurityBufferOffset: 88 (0x58)
    SecurityBufferLength: 625 (0x271)
    PreviousSessionId: 0 (0x0)
    
  6. The server processes the token received with GSS and gets a successful return code. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.

    SMB2: R   SESSION SETUP (0x1), SessionFlags=0x0
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: R SESSION SETUP (0x1),TID=0x0000, MID=0x0002, PID=0xFEFF, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS
    Flags: 0x9
    NextCommand: 0 (0x0)
    MessageId: 2 (0x2)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    RSessionSetup: 
    StructureSize: 9 (0x9)
    SessionFlags: 0x0
    SecurityBufferOffset: 72 (0x48)
    SecurityBufferLength: 29 (0x1D)
    
  7. The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SsessionId for the session, and a tree connect request containing the Unicodeshare name "\\smb2server\share".

    SMB2: C   TREE CONNECT (0x3), Path:\\smb2server\share 
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: C TREE CONNECT (0x3),TID=0x0000, MID=0x0003, PID=0xFEFF, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    ChannelSequence: (0x0) - (SMB 3.00 and later only)
    Reserved2: 0 (0x0)
    Command: TREE CONNECT (0x3)
    Credits: 10 (0xA)
    Flags: 0x0
    NextCommand: 0 (0x0)
    MessageId: 3 (0x3)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    CTreeConnect: 
    StructureSize: 9 (0x9)
    Reserved: 0 (0x0)
    PathOffset: 72 (0x48)
    PathLength: 42 (0x2A)
    Path:\\smb2server\share
    
  8. The server responds with an SMB2 TREE_CONNECT Response with the MessageId of 3, the CreditResponse of 5, the Status equal to STATUS_SUCCESS, the SessionId of 0x8040030000075, and TreeId set to the locally generated identifier 0x1.

    SMB2: R   TREE CONNECT (0x3), TID=0x1
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: R TREE CONNECT (0x3),TID=0x0001, MID=0x0003, PID=0xFEFF, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS
    Flags: 0x1
    NextCommand: 0 (0x0)
    MessageId: 3 (0x3)
    Reserved: 65279 (0xFEFF)
    TreeId: 1 (0x1)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    RTreeConnect: 0x1
    StructureSize: 16 (0x10)
    ShareType: Disk (0x1)
    Reserved: 0 (0x0)
    ShareFlags: 2048 (0x800)
    Capabilities: 0x0
    MaximalAccess: 0x1F01FF
    
  9. The client sends a FSCTL_VALIDATE_NEGOTIATE_INFO IOCTL request with the Dialects array set to 0x202, 0x210, and 0x300, along with the expected server capabilities, security mode, and GUID, to protect against a downgrade attack.

    SMB2: C   IOCTL (0xb), FID=0xFFFFFFFFFFFFFFFF, FSCTL_VALIDATE_NEGOTIATE_INFO
    CIoCtl: 
    StructureSize: 57 (0x39)
    Reserved: 0 (0x0)
    CtlCode: FSCTL_VALIDATE_NEGOTIATE_INFO
    FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF
    Persistent: 18446744073709551615 (0xFFFFFFFFFFFFFFFF)
    volatile: 18446744073709551615 (0xFFFFFFFFFFFFFFFF)
    InputOffset: 120 (0x78)
    InputCount: 30 (0x1E)
    MaxInputResponse: 0 (0x0)
    OutputOffset: 120 (0x78)
    OutputCount: 0 (0x0)
    MaxOutputResponse: 24 (0x18)
    Flags: (00000000000000000000000000000001) FSCTL request
    Reserved2: 0 (0x0)
    ValidateNegotiate: 
    Capabilities: 0x7F
    Guid: {F62E4D0B-C685-E48B-40B6-D815CB56FF6E}
    SecurityMode: 1 (0x1)
    DialectCount: 3 (0x3)
    Dialects: 
    Dialects: 514 (0x202)
    Dialects: 528 (0x210)
    Dialects: 768 (0x300)
    
  10. The server determines that dialect, capabilities, security mode, and GUID are as expected, and sends an FSCTL_VALIDATE_NEGOTIATE_INFO IOCTL Response with the established values for the connection in an SMB2 IOCTL Response. Upon receiving and validating these, the client successfully validates the end-to-end negotiation and processing proceeds to using the session.

    SMB2: R   IOCTL (0xb), FSCTL_VALIDATE_NEGOTIATE_INFO
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: R IOCTL (0xb),TID=0x0001, MID=0x0004, PID=0x000D, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 1 (0x1)
    Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS
    Flags: 0x9
    NextCommand: 0 (0x0)
    MessageId: 4 (0x4)
    Reserved: 13 (0xD)
    TreeId: 1 (0x1)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    RIoCtl: 
    StructureSize: 49 (0x31)
    Reserved: 0 (0x0)
    CtlCode: FSCTL_VALIDATE_NEGOTIATE_INFO
    FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF
    Persistent: 18446744073709551615 (0xFFFFFFFFFFFFFFFF)
    volatile: 18446744073709551615 (0xFFFFFFFFFFFFFFFF)
    InputOffset: 112 (0x70)
    InputCount: 0 (0x0)
    OutputOffset: 112 (0x70)
    OutputCount: 24 (0x18)
    Flags: 0 (0x0)
    Reserved2: 0 (0x0)
    ValidateNegotiate: 
    Capabilities: 0x7F
    Dialect: 768 (0x300)
  11. To establish an alternative channel, the client sends an FSCTL_QUERY_NETWORK_INTERFACE_INFO IOCTL request to query the available network interface on the server.

    SMB2: C   IOCTL (0xb), FID=0xFFFFFFFFFFFFFFFF, FSCTL_QUERY_NETWORK_INTERFACE_INFO
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: C IOCTL (0xb),TID=0x0001, MID=0x0005, PID=0x000D, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 1 (0x1)
    ChannelSequence: (0x0) - (SMB 3.00 and later only)
    Reserved2: 0 (0x0)
    Command: IOCTL (0xb)
    Credits: 10 (0xA)
    Flags: 0x0
    NextCommand: 0 (0x0)
    MessageId: 5 (0x5)
    Reserved: 13 (0xD)
    TreeId: 1 (0x1)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    CIoCtl: 
    StructureSize: 57 (0x39)
    Reserved: 0 (0x0)
    CtlCode: FSCTL_QUERY_NETWORK_INTERFACE_INFO
    FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF
    InputOffset: 0 (0x0)
    InputCount: 0 (0x0)
    MaxInputResponse: 0 (0x0)
    OutputOffset: 0 (0x0)
    OutputCount: 0 (0x0)
    MaxOutputResponse: 1000 (0x3E8)
    Flags: (00000000000000000000000000000001) FSCTL request
    Reserved2: 0 (0x0)
  12. The server sends a NETWORK_INTERFACE_INFO Response in an SMB2 IOCTL Response with the available network interfaces.

    SMB2: R   IOCTL (0xb), FSCTL_QUERY_NETWORK_INTERFACE_INFO
    RIoCtl: 
    StructureSize: 49 (0x31)
    Reserved: 0 (0x0)
    CtlCode: FSCTL_QUERY_NETWORK_INTERFACE_INFO
    FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF
    InputOffset: 112 (0x70)
    InputCount: 0 (0x0)
    OutputOffset: 112 (0x70)
    OutputCount: 912 (0x390)
    Flags: 0 (0x0)
    Reserved2: 0 (0x0)
    InterfaceInfo:
    Next: 152 (0x98)
    IfIndex: 12 (0xC)
    Capability: 1 (0x1)
    RSSCapable: 1 (0x1)
    RDMACapable: 0 (0x0)
    Reserved: 0 (0x0)
    Reserved: 0 (0x0)
    LinkSpeed: 10000000000 (0x2540BE400)
    SockAddr: 172.25.220.21:0
    Family: 2 (0x2)
    IPv4: 172.25.220.21:0
    Port: 0 (0x0)
    Address: 172.25.220.21
    Reserved: Binary Large Object (8 Bytes)
    EntryPadding: Binary Large Object (112 Bytes)   
    
  13. The client selects any one network interface pair to establish a new connection, and sends an SMB2 NEGOTIATE Request with dialect 0x300 in the Dialects array, and SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.

    SMB2: C   NEGOTIATE (0x0), ClientGUID={F62E4D0B-C685-E48B-40B6-D815CB56FF6E}
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: C NEGOTIATE (0x0),TID=0x0000, MID=0x0000, PID=0xFEFF, SID=0x0000
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    ChannelSequence: (0x0) - (SMB 3.00 and later only)
    Reserved2: 0 (0x0)
    Command: NEGOTIATE (0x0)
    Credits: 10 (0xA)
    Flags: 0x0      
    NextCommand: 0 (0x0)
    MessageId: 0 (0x0)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 0 (0x0)
    Signature: Binary Large Object (16 Bytes)
    CNegotiate: 
    StructureSize: 36 (0x24)
    DialectCount: 3 (0x3)
    SecurityMode: 1 (0x1)      
    Reserved: 0 (0x0)
    Capabilities: 0x3F      
    ClientGuid: {F62E4D0B-C685-E48B-40B6-D815CB56FF6E}
    ClientStartTime: No Time Specified (0)
    Dialects: 
    Dialects: 514 (0x202)
    Dialects: 528 (0x210)
    Dialects: 768 (0x300)
  14. The server responds with an SMB2 NEGOTIATE Response with dialect 0x300 in the DialectRevision, and SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.

    SMB2: R   NEGOTIATE (0x0), ServerGUID={1B005379-8063-F0B6-4907-4957998700A1}
    RNegotiate: 
    StructureSize: 65 (0x41)
    SecurityMode: 1 (0x1)
    DialectRevision: (0x300) - SMB 3.0 dialect revision number.
    Reserved: 0 (0x0)
    ServerGuid: {1B005379-8063-F0B6-4907-4957998700A1}
    Capabilities: 0x3F      
    MaxTransactSize: 1048576 (0x100000)
    MaxReadSize: 1048576 (0x100000)
    MaxWriteSize: 1048576 (0x100000)
    SystemTime: 05/11/2012, 06:41:49.996099 UTC
    ServerStartTime: 05/10/2012, 09:56:03.345351 UTC
    SecurityBufferOffset: 128 (0x80)
    SecurityBufferLength: 120 (0x78)
    Reserved2: 0 (0x0)
    
  15. The client sends an SMB2 SESSION_SETUP Request with SMB2_SESSION_FLAG_BINDING set in the Flags field and previous channel/session SessionId (0x4040104000001) set in the Header, PreviousSessionId field set to 0, and sign the message using Session.SigningKey derived from AES_CMAC-128. Because the request and response are signed, the client does not need to revalidate the negotiation.

    SMB2: C   SESSION SETUP (0x1)
    SMBIdByte: 254 (0xFE)
    SMBIdentifier: SMB
    SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0001, PID=0xFEFF, SID=0x4000001
    StructureSize: 64 (0x40)
    CreditCharge: 0 (0x0)
    ChannelSequence: (0x0) - (SMB 3.00 and later only)
    Reserved2: 0 (0x0)
    Command: SESSION SETUP (0x1)
    Credits: 10 (0xA)
    Flags: 0x8      
    NextCommand: 0 (0x0)
    MessageId: 1 (0x1)
    Reserved: 65279 (0xFEFF)
    TreeId: 0 (0x0)
    SessionId: 1130302315429889 (0x4040104000001)
    Signature: Binary Large Object (16 Bytes)
    CSessionSetup: 
    StructureSize: 25 (0x19)
    Flags: 1 (0x1)
    SessionBind: (.......1) bind this connection to an existing session (specified in PreviousSessionId)
    Reserved:    (0000000.) Reserved
    SecurityMode: 1 (0x1)
    Capabilities: 0x1
    Channel: 0 (0x0)
    SecurityBufferOffset: 88 (0x58)
    SecurityBufferLength: 74 (0x4A)
    PreviousSessionId: 0 (0x0)
    
  16. The server processes the token received with GSS and gets a return code. The GSS return code indicates that an additional exchange is required to complete the authentication. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.

    SMB2: R  - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED  SESSION SETUP (0x1), SessionFlags=0x0
    RSessionSetup: 
    StructureSize: 9 (0x9)
    SessionFlags: 0x0
    GU:                (...............0) NOT a guest user
    NU:                (..............0.) NOT a NULL user
    Reserved_bits2_15: (00000000000000..) Reserved
    SecurityBufferOffset: 72 (0x48)
    SecurityBufferLength: 349 (0x15D)
    
  17. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the response.

    SMB2: C   SESSION SETUP (0x1)
    CSessionSetup: 
    StructureSize: 25 (0x19) 
    Flags: 1 (0x1)
    SessionBind: (.......1) bind this connection to an existing session (specified in PreviousSessionId)
    Reserved:    (0000000.) Reserved
    SecurityMode: 1 (0x1)
    Capabilities: 0x1
    Channel: 0 (0x0)
    SecurityBufferOffset: 88 (0x58)
    SecurityBufferLength: 625 (0x271)
    PreviousSessionId: 0 (0x0)
    
  18. The server processes the token received with GSS and gets a successful return code. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.

    SMB2: R   SESSION SETUP (0x1), SessionFlags=0x0
    SMBIdByte: 254 (0xFE)
    RSessionSetup: 
    StructureSize: 9 (0x9)
    SessionFlags: 0x0
    GU:                (...............0) NOT a guest user
    NU:                (..............0.) NOT a NULL user
    Reserved_bits2_15: (00000000000000..) Reserved
    SecurityBufferOffset: 72 (0x48)
    SecurityBufferLength: 29 (0x1D)
    securityBlob:
  19. An alternate channel has been established for the session.

 
Show:
© 2014 Microsoft