Share via

3.2.5.1 Receiving Data in the WaitingForHandshakeMessage State

  • Article

The first five bytes received MUST be interpreted as the header of a Handshake message (as specified in section 2.2). The payload size MUST be reassembled from the HighByteOfPayloadSize and LowByteOfPayloadSize fields. The MajorVersion and MinorVersion MUST be ignored. The implementation MUST continue to receive data from the Underlying TCP Connection (storing it in the Framing Buffer) until the entire payload has been received. When a full frame has been received, the server MUST check the HandshakeId field of the message to see whether it matches one of the three known message IDs for .NET NegotiateStream Handshake messages. If the message ID received matches the message ID for:

  • A HandshakeInProgress message: Upon receipt of a message of this type, the Stream State MUST be set to CreatingSecurityToken. The server MUST take the token from the AuthPayload field of the message and pass it to the GSS_Accept_sec_context function ([RFC2743] section 2.2.2) along with the Server Credentials and Expected Channel Binding. If no Security Provider Context has been saved from a previous call to GSS_Accept_sec_context, the input_context_handle MUST be set to GSS_C_NO_CONTEXT. Otherwise, the saved Security Provider Context MUST be passed.

  • A HandshakeDone message: Upon receipt of a message of this type, the Stream State MUST be set to ProcessingLastToken. The server MUST take the token from the AuthPayload field of the message and pass it to the GSS_Accept_sec_context function ([RFC2743] section 2.2.2) along with the Security Provider Context, Server Credentials, and Expected Channel Binding.

  • A HandshakeError message: Upon receipt of a message of this type, the Security Provider Context MUST be deleted, the Underlying TCP Connection MUST be closed, and the Stream State MUST be set to Closed. The application MUST be notified of the HRESULT contained in the AuthPayload field. (If the application wishes to retry the authentication, it can do so by invoking a new instance of the protocol with a new Underlying TCP Connection.)

  • None of the preceding handshake message types: The message type is invalid. The Security Provider Context MUST be deleted, the Underlying TCP Connection MUST be closed, and the Stream State MUST be set to Closed. The application MUST be notified of the failure. (If the application wishes to retry the authentication, it can do so by invoking a new instance of the protocol with a new Underlying TCP Connection.)