3.3.5.3 Receiving an SMB_COM_SESSION_SETUP_ANDX Request

The processing of an SMB_COM_SESSION_SETUP_ANDX request is handled as specified in [MS-CIFS] section 3.3.5.43 with the following additions:<109>

Storing Client Capabilities

If Server.Connection.ClientCapabilities is equal to zero, then the server MUST set Server.Connection.ClientCapabilities to the Capabilities field that is received in the SMB_COM_SESSION_SETUP_ANDX request. If Server.Connection.ClientCapabilities has already been determined and is nonzero, then the server MUST ignore the capabilities value on subsequent requests.

Determine Reauth or Continuation of Previous Auth

If the SMB_Header.UID is not zero, the server MUST obtain the user name:

  • If Server.Connection.SessionTable[UID].UserSecurityContext is NULL, the server MUST set it to a value representing the user that successfully authenticated this connection. The UserSecurityContext MUST be obtained from the GSS authentication subsystem. If it is not NULL, no changes are necessary.

  • The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6, passing Server.Connection.SessionTable[UID].UserSecurityContext as the input parameter, and obtain the user name returned in "src _name".

If the received user name is not equal to Server.Connection.SessionTable[UID].UserName, the server MAY fail the session setup and tear down the underlying transport connection.

Otherwise, the server MUST look up the authentication state for this session and take the following actions based on this state.

  • If Server.Connection.SessionTable[UID].AuthenticationState is InProgress or ReAuthInProgress, then this is a continuation of an authentication in progress. This state indicates that the authentication required multiple roundtrips, and that authentication continues.

  • If Server.Connection.SessionTable[UID].AuthenticationState is Valid or Expired, then this is the re-authentication of a user. The server MUST set AuthenticationState to ReAuthInProgress and begin a new authentication for this session. The server MUST prevent any further operations from executing on this session until authentication is complete, and fail them with STATUS_NETWORK_SESSION_EXPIRED.

  • If there is no session for the provided UID, then the request MUST be failed with STATUS_SMB_BAD_UID.

Extended Security

If CAP_EXTENDED_SECURITY is set in Server.Connection.ClientCapabilities, then the server MUST handle the authentication as defined in this section. Otherwise, it MUST continue to the following NTLM authentication section.

The server MUST extract the GSS token, which is the SecurityBlob contained in the request, with a length of SecurityBlobLength.<110> The server MUST use the configured GSS authentication protocol to obtain the next GSS output token for the authentication protocol exchange. Note that this token can be 0 bytes in length.

If the GSS mechanism indicates an error that is not STATUS_MORE_PROCESSING_REQUIRED, then the server MUST fail the client request, and return only an SMB header and propagate the failure code. If a UID was present in this request, then its associated session MUST be removed from the Server.Connection.SessionTable. The authentication has failed and no further processing is done on this request. This error response is sent to the client.

If the GSS mechanism indicates success, then the server MUST create an SMB_COM_SESSION_SETUP_ANDX response (section 2.2.4.6.2). The SecurityBlob MUST be set to the output token from the GSS mechanism, and SecurityBlobLength is set to the length of the output token. SMB_FLAGS2_EXTENDED_SECURITY is set in the Flags2 field of the SMB header of the response. If the request did not specify a UID in the SMB header of the request, then a UID MUST be generated to represent this user's authentication and its value MUST be placed in the UID field of the SMB header of the response.

If the GSS mechanism indicates that the current output token is the last output token of the authentication exchange based on the return code, as specified in [RFC2743], the Status field in the SMB header of the response MUST be set to STATUS_SUCCESS, and Server.Connection.SessionTable[UID].AuthenticationState MUST be set to Valid. If the client sets the CAP_DYNAMIC_REAUTH capability in the request or the Kerberos authentication protocol enforces session re-authentication, Server.Session.AuthenticationExpirationTime SHOULD<111> be set to the authentication (either NTLM or GSS processing) expiration time returned by the GSS authentication protocol, such as a Kerberos ticket time-out. If this is not the case, Server.Session.AuthenticationExpirationTime SHOULD be set to infinity.

Otherwise, the Status field in the SMB header of the response MUST be set to STATUS_MORE_PROCESSING_REQUIRED, and Server.Connection.SessionTable[UID].AuthenticationState MUST be set to InProgress.

Activating Signing

If Server.Connection.IsSigningActive is FALSE, and the response of the SMB_COM_SESSION_SETUP_ANDX operation contains STATUS_SUCCESS, then the server MUST determine whether or not signing can be activated.

If bit zero of the Action field of the SMB_COM_SESSION_SETUP_ANDX response is set, then signing MUST NOT be activated. If the value of this field is one, then the user attempted to log in as a user other than Guest, but could not be authenticated for that account. Using a fallback mechanism on the server, the user is now logged in as Guest.

Otherwise, Server.Connection.IsSigningActive MUST be set to TRUE if any of the following conditions are satisfied:

  • Server.MessageSigningPolicy is Required.

  • The SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED bit in the Flags2 field of the SMB header of the request is set.

  • Server.MessageSigningPolicy is Enabled and the SMB_FLAGS2_SMB_SECURITY_SIGNATURE bit in the Flags2 field of the SMB header of the request is set.

The server MUST query the authentication protocol, either using NTLM or via GSS API, for the session key used in this authentication, and store it as Server.Connection.SigningSessionKey. If CAP_EXTENDED_SECURITY is set in Server.Connection.ClientCapabilities, then it MUST set Server.Connection.SigningChallengeResponse to NULL. If that capability is not set, then it MUST set Server.Connection.SigningChallengeResponse to the challenge response received in the SMB_COM_SESSION_SETUP_ANDX request.

Once these steps are performed, the server MUST sign the SMB_COM_SESSION_SETUP_ANDX response. The server follows the steps as specified in section 3.1.5 by passing in a sequence number of one.

Acquire Session Key

If authentication is successful, the server MUST query the session key from the authentication package (as specified in [MS-NLMP] for implicit NTLM and in [RFC4178] for extended security). If the session key is equal to or longer than 16 bytes, the session key MUST be stored in Server.Session.SessionKey. Otherwise, the session key MUST be stored in Server.Session.SessionKey and MUST be padded with zeros up to 16 bytes. The server MUST set Server.Session.SessionKeyState to Unavailable.

Authentication Expiry

If Server.Session.AuthenticationExpirationTime expires, the Authentication Expiration Timer marks the Server.Connection.SessionTable[UID].AuthenticationState as Expired when the time-out occurs, as specified in 3.3.2.1.

Show: