3.2.5.1 Sent Initial PRELOGIN Packet State

If the response contains a structurally valid PRELOGIN response indicating a success, the TDS client MUST take action according to the Encryption option and Authentication scheme:

  • The Encryption option MUST be handled as described in section 2.2.6.5 in the PRELOGIN message description.

  • If encryption was negotiated, the TDS client MUST initiate a TLS/SSL handshake, send to the server a TLS/SSL message obtained from the TLS/SSL layer encapsulated in TDS packet(s) of type PRELOGIN (0x12), and enter the "Sent TLS/SSL negotiation packet" state.

  • If encryption was not negotiated and the upper layer did not request full encryption, the TDS client MUST send to the server a Login message that contains the authentication scheme that is specified by the user and MUST enter one of the following three states, depending on the message sent:

    • "Sent LOGIN7 record with Complete Authentication Token" state, if a login message that contains either of the following was sent.

      • Standard authentication.

      • FEDAUTH FeatureExt<54> that indicates a client library that does not need any additional information from the server for authentication.

    • "Sent LOGIN7 record with SPNEGO packet" state, if a Login message with SPNEGO authentication was sent.

    • "Sent LOGIN7 record with Federated Authentication Information Request" state, if a Login message with FEDAUTH FeatureExt that indicates a client library that needs additional information from the server for authentication was sent.

    The TDS specification does not prescribe the authentication protocol if SSPI [SSPI] authentication is used. The current implementation of SSPI supports NTLM [MSDN-NTLM] and Kerberos [RFC4120].

  • If encryption was not negotiated and the upper layer requested full encryption, then the TDS client MUST close the underlying transport connection, indicate an error to the upper layer, and enter the "Final State" state.

  • If the response received from the server does not contain a structurally valid PRELOGIN response or it contains a structurally valid PRELOGIN response indicating an error, the TDS client MUST close the underlying transport connection, indicate an error to the upper layer, and enter the "Final State" state.

  • If NONCEOPT is specified in both the client PRELOGIN message and the server PRELOGIN message, the TDS client MUST maintain a state variable that includes the value of the NONCE that is sent to the server and a state variable that includes the value of the NONCE that is contained in the server’s response.

Show: