Application Requests Reauthenticating a User

It is possible that the server indicates that authentication has expired, as specified in sections and, or the application or the client itself requests that an existing session be reauthenticated. In either case, the client MUST issue a subsequent session setup request for the SessionId of the session being reauthenticated. The application SHOULD NOT issue new requests until the reauthentication succeeds.

The client MAY<109> either:

  • Pass the Connection.GSSNegotiateToken to the configured GSS authentication mechanism to obtain a GSS output token for the authentication protocol exchange, as specified in [MS-SPNG] section


  • Choose to ignore the Connection.GSSNegotiateToken received from the server, and initiate a normal GSS sequence as specified in [MS-SPNG] section 3.3.4 and [RFC4178] section 3.2.

In either case, it initializes the GSS authentication protocol with the MutualAuth and Delegate options. In addition, the client MUST also set the GSS_C_FRAGMENT_TO_FIT parameter as specified in [MS-SPNG] section 3.3.1. The GSS-API output token is up to a size limit determined by local policy <110> when GSS_C_FRAGMENT_TO_FIT is set.

If the GSS authentication protocol returns an error, the reauthentication attempt MUST be aborted, and the error MUST be returned to the higher-level application.

If the GSS authentication succeeds, the client MUST construct an SMB2 SESSION_SETUP request, as specified in section 2.2.5. The SMB2 header MUST be initialized as follows:

  • The Command field MUST be set to SMB2 SESSION_SETUP.

  • The MessageId field is set as specified in section

  • The SessionId field MUST be set to the Session.SessionId for the session being reauthenticated.

The SMB2 SESSION_SETUP Request MUST be initialized as follows:

  • If RequireMessageSigning is TRUE, the client MUST set the SMB2_NEGOTIATE_SIGNING_REQUIRED bit in the SecurityMode field.

    If RequireMessageSigning is FALSE, the client MUST set the SMB2_NEGOTIATE_SIGNING_ENABLED bit in the SecurityMode field.

  • The Flags field MUST be set to 0.

  • If the client supports the Distributed File System (DFS), as specified in [MS-DFSC], the SMB2_GLOBAL_CAP_DFS bit in the Capabilities field MUST be set.

  • The PreviousSessionId field MUST be set to 0.

  • The GSS output token is copied into the Buffer field in the request. The client MUST set SecurityBufferOffset and SecurityBufferLength to describe the location and length of the GSS output token in the request.

This request MUST be sent to the server.