3.3.5.2 Receiving an SMB_COM_NEGOTIATE Request

The processing of an SMB_COM_NEGOTIATE request is handled as specified in [MS-CIFS] section 3.3.5.42, with the following additions:

New Capabilities

The new capabilities flags specified in section 2.2.4.5.1 MUST also be considered when setting the SMB_Parameters.Words.Capabilities field of the response based on the Server.Capabilities attribute.

Generating Extended Security Token

If the client indicated support for extended security by setting SMB_FLAGS2_EXTENDED_SECURITY in the Flags2 field of the SMB header of the SMB_COM_NEGOTIATE request, then the server SHOULD set CAP_EXTENDED_SECURITY in the SMB_COM_NEGOTIATE response if it supports extended security. The response MUST take the form specified in section 2.2.4.5.2.

The server SHOULD set the SecurityBlob of the SMB_COM_NEGOTIATE response to the first GSS token (or fragment thereof) produced by the GSS authentication protocol it is configured to use (GSS tokens are as specified in [RFC2743]). Otherwise, it leaves it empty. This token is also stored in Server.Connection.GSSNegotiateToken.

The server MUST initialize its GSS mechanism with the Integrity, Confidentiality, and Delegate options and use the Server-Initiated variation, as specified in [RFC4178]. The SMB_COM_NEGOTIATE response packet is sent to the client.<109>