220.127.116.11.4.1 Sequence Diagram
For the user to be successfully authenticated and to establish a session, the client MUST follow a security negotiation scheme that can involve one or more roundtrips of SMB_COM_SESSION_SETUP_ANDX request and response. In each roundtrip, the server and client exchange security tokens. The exchange of security tokens MUST continue until either the client or the server determines that authentication has failed or both sides decide that authentication is complete. If authentication fails, then the client drops the connection and indicates the error (see the following diagram for details). If authentication succeeds, then the application protocol can be assured of the identity of the participants as far as the supporting authentication protocol can accomplish.
In the sequence diagram that follows, requests with straight line arrows stand for the requests that the client MUST send. Requests with dotted line arrows stand for the requests the client could send. The server MUST respond to each client request that it receives.
Figure 2: User authentication and session establishment sequence
The diagram illustrates the sequence of events during the protocol negotiation and session establishment process. After the initial SMB_COM_NEGOTIATE command exchange has been completed, the SMB_COM_NEGOTIATE exchange MUST NOT be repeated over the same SMB connection; otherwise, the server disconnects the client by closing the underlying transport connection. The parameters returned in the SMB_COM_NEGOTIATE response MUST be used when creating new sessions over the same connection.
Session Setup Roundtrip
The SMB_COM_NEGOTIATE Server response is processed as described in [MS-CIFS] section 18.104.22.168. The protocol extensions in this document apply only to the NT LM 0.12 dialect of SMB. For further information on SMB dialects, see [MS-CIFS] section 1.7.
If the NT LM 0.12 dialect is successfully negotiated, then the SMB client examines the Capabilities field in the SMB_COM_NEGOTIATE server response (section 22.214.171.124.2). If the CAP_EXTENDED_SECURITY bit is clear (0x00000000), then the SMB server does not support extended security. In order for authentication to proceed, the SMB client MUST build a non-extended SMB_COM_SESSION_SETUP_ANDX request, and MUST set the WordCount field to 0x0d. Authentication then proceeds as described in [MS-CIFS] section 126.96.36.199.4.
If the CAP_EXTENDED_SECURITY bit is set (0x80000000), then the SMB server does support extended security. The SMB client MUST build an SMB_COM_SESSION_SETUP_ANDX request in the extended form, as specified in section 188.8.131.52.1. The request is sent to the SMB server, and the server builds an extended SMB_COM_SESSION_SETUP_ANDX server response (section 184.108.40.206.2). The security BLOB in the session setup response is built as specified in [RFC2743].
Upon receiving the extended SMB_COM_SESSION_SETUP_ANDX server response (section 220.127.116.11.2), the SMB client invokes the local security package to determine whether the session setup request SHOULD be completed, aborted, or continued. A completed session indicates that the server has enough information to establish the session. An aborted session indicates that the server cannot proceed with the session setup because of an error in the information presented by the client, or otherwise. If the session setup has to be continued, the security package on the client and/or server requires an additional roundtrip before the session setup can be established. This is especially true of new security packages that support mutual authentication between the client and server.
In the case of extended security, the SMB protocol does not make the distinction between NTLM and Kerberos; therefore, the sequence defined previously in this section is the same in both cases. If authentication succeeds after a single roundtrip, then only one session setup exchange is required. Otherwise, additional roundtrips will be required.
Each additional roundtrip MUST consist of one SMB_COM_SESSION_SETUP_ANDX client request and one SMB_COM_SESSION_SETUP_ANDX server response. In the sequence diagram, this is represented in the horizontal dotted line that symbolizes additional roundtrips until the final roundtrip, which is represented as SMB_COM_SESSION_SETUP_ANDX Client Request N and SMB_COM_SESSION_SETUP_ANDX Server Response N, where N is a number larger than 1.