[MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request - SMB2_SIGNING_CAPABILITIES negotiate context

Question

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/b39f253e-4963-40df-8dff-2f9040ebbeb1

According to spec:

"If the Connection.Dialect is "3.1.1", then the server MUST process the NegotiateContextList..."

"If Connection.Dialect is "3.1.1", then the server MUST build a NegotiateContextList for its negotiate response as follows:

If the server processed the SMB2_SIGNING_CAPABILITIES negotiate request context, then the server MUST build an SMB2_SIGNING_CAPABILITIES negotiate response context by setting the following:

SigningAlgorithms MUST be set to Connection.SigningAlgorithmId.

SigningAlgorithmCount MUST be set to 1."

Since for SMB311 processing this context is a MUST, then responding with the context is also a MUST.

But in reality Windows hosts do not respond with the SMB2_SIGNING_CAPABILITIES context in Negotiate response.

Answer 1

Update:

This issue is now resolved.

In MS-SMB2, in the following behavior notes, it has been stated that Windows server’s versions older than v20H2 do not process SMB2_SIGNING_CAPABILITIES:

 

“<17> Section 2.2.3.1: Windows 10 operating system and prior and Windows Server v20H2 operating

system and prior do not send or process SMB2_SIGNING_CAPABILITIES.”

 

“<125> Section 3.2.4.2.2.2: Windows 10 operating system and prior and Windows Server v20H2

operating system and prior do not send or process SMB2_SIGNING_CAPABILITIES negotiate context.”

 

The behavior notes above explain what the poster is observing in WS2016.

 

I have filed a bug against MS-SMB2 to remove the MUST’s in section “Processing the SMB2_SIGNING_CAPABILITIES negotiate context”.

Regards,

Obaid Farooqi - MSFT