3.2.5.2 Receiving an SMB2 NEGOTIATE Response

If the Status field in the SMB2 header of the response is not STATUS_SUCCESS, the client MUST return the error code to the calling application.

The client MUST store the received MaxTransactSize in Connection.MaxTransactSize, the received MaxReadSize in Connection.MaxReadSize, the received MaxWriteSize in Connection.MaxWriteSize, and the received ServerGuid in Connection.ServerGuid.<151> The client MUST store the received security buffer described by SecurityBufferOffset and SecurityBufferLength into Connection.GSSNegotiateToken.

The client SHOULD<152> disconnect the connection if the size, in bytes, received in MaxTransactSize, MaxReadSize, or MaxWriteSize is less than 65536.

If the SecurityMode field in the SMB2 header of the response has the SMB2_NEGOTIATE_SIGNING_REQUIRED bit set, the client MUST set Connection.RequireSigning to TRUE.

If the client implements SMB 3.1.1, the DialectRevision in the SMB2 NEGOTIATE Response is 0x02FF, and the Connection is NetBIOS over TCP, the client MUST close the connection. The client MUST establish a new connection to the server, as specified in section 3.2.4.2.1, by providing the ServerName and TransportIdentifier indicating Direct TCP transport.

If the DialectRevision in the SMB2 NEGOTIATE Response is 0x02FF, the client MUST issue a new SMB2 NEGOTIATE request as described in section 3.2.4.2.2.2 with the only exception that the client MUST allocate sequence number 1 from Connection.SequenceWindow, and MUST set MessageId field of the SMB2 header to 1. Otherwise, the client MUST proceed as follows.

If the client implements SMB 2.1 or SMB 3.x dialect family, the client MUST perform the following:

  • The client MUST set Connection.Dialect to DialectRevision in the SMB2 NEGOTIATE Response.

  • If SMB2_GLOBAL_CAP_LEASING is set in the Capabilities field of the SMB2 NEGOTIATE Response, the client MUST set Connection.SupportsFileLeasing to TRUE. Otherwise, it MUST be set to FALSE.

  • If SMB2_GLOBAL_CAP_LARGE_MTU is set in the Capabilities field of the SMB2 NEGOTIATE Response, the client MUST set Connection.SupportsMultiCredit to TRUE. Otherwise, it MUST be set to FALSE.

If Connection.Dialect belongs to the SMB 3.x dialect family, the client MUST perform the following:

  • If SMB2_GLOBAL_CAP_DIRECTORY_LEASING is set in the Capabilities field of the SMB2 NEGOTIATE Response, the client MUST set Connection.SupportsDirectoryLeasing to TRUE. Otherwise, it MUST be set to FALSE.

  • If SMB2_GLOBAL_CAP_MULTI_CHANNEL is set in the Capabilities field of the SMB2 NEGOTIATE Response, the client MUST set Connection.SupportsMultiChannel to TRUE. Otherwise, it MUST be set to FALSE.

  • If SMB2_GLOBAL_CAP_PERSISTENT_HANDLES is set in the Capabilities field of the SMB2 NEGOTIATE Response, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.1 by providing Connection.ServerName as Netname parameter.

  • If SMB2_GLOBAL_CAP_ENCRYPTION is set in the Capabilities field of the SMB2 NEGOTIATE Response and Connection.Dialect is "3.0" or "3.0.2", the client MUST set Connection.SupportsEncryption to TRUE. Otherwise, it MUST be set to FALSE.

  • Connection.ServerCapabilities MUST be set to the Capabilities field of the SMB2 NEGOTIATE Response.

  • Connection.ServerSecurityMode MUST be set to the SecurityMode field of the SMB2 NEGOTIATE Response.

If the client implements the SMB 3.x dialect family, the client MUST look up the server entry in ServerList where Server.ServerName matches the Connection.ServerName. If an entry is found, the client MUST set Connection.Server to the server entry found. Otherwise, the client MUST initialize a server object and MUST set Server.ServerName to Connection.ServerName and Connection.Server to NULL. The client MUST add the Server entry to ServerList.

If the client implements the SMB 3.x dialect family and Connection.Server is not NULL, the client MUST disconnect the connection if any of the following conditions is satisfied:

  • Connection.Server.ServerGUID does not match ServerGUID in the response.

  • Connection.Server.DialectRevision does not match DialectRevision in the response.

  • Connection.Server.SecurityMode does not match SecurityMode in the response.

  • Connection.Server.Capabilities does not match Capabilities in the response.

If the client implements the SMB 3.x dialect family and Connection.Server is NULL, the client MUST set the following values:

  • Connection.Server to the server entry in ServerList where Server.ServerName matches the Connection.ServerName.

  • Connection.Server.ServerGUID to ServerGUID in the response

  • Connection.Server.DialectRevision to DialectRevision in the response

  • Connection.Server.SecurityMode to SecurityMode in the response

  • Connection.Server.Capabilities to Capabilities in the response

If Connection.Dialect is "3.1.1", the client MUST process the negotiate context list that is specified by the response's NegotiateContextOffset and NegotiateContextCount fields as follows:

  • Processing the SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context:

    • If the negotiate context list does not contain exactly one SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context, then the client MUST return an error to the calling application.

    • If HashAlgorithmCount is not 1, then the client MUST return an error to the calling application.

    • If HashAlgorithms[0] is not one of the hash algorithms from the set of hash algorithms that the client specified in its negotiate request, then the client MUST return an error to the calling application.

    • The client MUST set Connection.PreauthIntegrityHashId to HashAlgorithms[0].

  • Processing the SMB2_ENCRYPTION_CAPABILITIES negotiate context

    • If the client's negotiate request did not contain an SMB2_ENCRYPTION_CAPABILITIES negotiate context, then the client MUST return an error to the calling application.

    • If the negotiate context list contains more than one SMB2_ENCRYPTION_CAPABILITIES negotiate context, then the client MUST return an error to the calling application.

    • If CipherCount is not 1, then the client MUST return an error to the calling application.

    • If Ciphers[0] is not 0 or not one of the ciphers that the client specified in its negotiate request, then the client MUST return an error to the calling application.

    • The client MUST set Connection.CipherId to Ciphers[0].

    • If Connection.CipherId is nonzero, the client MUST set Connection.SupportsEncryption to TRUE. Otherwise, it MUST be set to FALSE.

If Connection.Dialect is "3.1.1", the client MUST update its preauthentication integrity hash value as follows:

  • The client MUST initialize Connection.PreauthIntegrityHashValue with zero.

  • The client MUST generate a hash using the Connection.PreauthIntegrityHashId algorithm on the string constructed by concatenating Connection.PreauthIntegrityHashValue and the negotiate request message retrieved from the first entry of Connection.OutstandingRequests. The client MUST set Connection.PreauthIntegrityHashValue to the hash value generated above.

  • The client MUST generate a hash using Connection.PreauthIntegrityHashId algorithm on the string constructed by concatenating Connection.PreauthIntegrityHashValue and the negotiate response message, including all bytes from the response's SMB2 header to the last byte received from the network. The client MUST set Connection.PreauthIntegrityHashValue to the hash value generated above.

The client MUST continue processing, as specified in section 3.2.4.2.3.

Show: