22.214.171.124 Receiving an SMB_COM_NEGOTIATE Request
The new capabilities flags specified in section 126.96.36.199.1 MUST also be considered when setting the SMB_Parameters.Words.Capabilities field of the response based on the Server.Capabilities attribute.
Generating Extended Security Token
If the client indicated support for extended security by setting SMB_FLAGS2_EXTENDED_SECURITY in the Flags2 field of the SMB header of the SMB_COM_NEGOTIATE request, then the server SHOULD set CAP_EXTENDED_SECURITY in the SMB_COM_NEGOTIATE response if it supports extended security. The response MUST take the form specified in section 188.8.131.52.2.
The server SHOULD set the SecurityBlob of the SMB_COM_NEGOTIATE response to the first GSS token (or fragment thereof) produced by the GSS authentication protocol it is configured to use (GSS tokens are as specified in [RFC2743]). Otherwise, it leaves it empty. This token is also stored in Server.Connection.GSSNegotiateToken.
The server MUST initialize its GSS mechanism with the Integrity, Confidentiality, and Delegate options and use the Server-Initiated variation, as specified in [RFC4178]. The SMB_COM_NEGOTIATE response packet is sent to the client.<108>