4.8 Establish Alternate Channel
The following diagram demonstrates the steps taken to establish an alternate channel.
Figure 13: Establishing an alternate channel
The client sends an SMB2 NEGOTIATE Request with dialect 0x300 in the Dialects array, and SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.
SMB2: C NEGOTIATE (0x0), ClientGUID={F62E4D0B-C685-E48B-40B6-D815CB56FF6E} CNegotiate: StructureSize: 36 (0x24) DialectCount: 3 (0x3) SecurityMode: 1 (0x1) SMB2NEGOTIATESIGNINGENABLED: (...............1) security signatures are enabled on the client. SMB2NEGOTIATESIGNINGREQUIRED: (..............0.) security signatures are not required by the client. Reserved: (00000000000000..) Reserved Reserved: 0 (0x0) Capabilities: 0x7F ClientGuid: {F62E4D0B-C685-E48B-40B6-D815CB56FF6E} ClientStartTime: No Time Specified (0) Dialects: Dialects: 514 (0x202) Dialects: 528 (0x210) Dialects: 768 (0x300)
The server receives the SMB2 NEGOTIATE Request and finds dialect 0x0300. The server responds with an SMB2 NEGOTIATE Response with dialect 0x300 in the DialectRevision, and the SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.
SMB2: R NEGOTIATE (0x0), ServerGUID={1B005379-8063-F0B6-4907-4957998700A1} SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: R NEGOTIATE (0x0),TID=0x0000, MID=0x0000, PID=0xFEFF, SID=0x0000 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS Flags: 0x1 NextCommand: 0 (0x0) MessageId: 0 (0x0) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 0 (0x0) Signature: Binary Large Object (16 Bytes) RNegotiate: StructureSize: 65 (0x41) SecurityMode: 1 (0x1) SMB2NEGOTIATESIGNINGENABLED: (...............1) security signatures are enabled on the client. SMB2NEGOTIATESIGNINGREQUIRED: (..............0.) security signatures are not required by the client. Reserved: (00000000000000..) Reserved DialectRevision: (0x300) - SMB 3.0 dialect revision number. Reserved: 0 (0x0) ServerGuid: {1B005379-8063-F0B6-4907-4957998700A1} Capabilities: 0x7F MaxTransactSize: 1048576 (0x100000) MaxReadSize: 1048576 (0x100000) MaxWriteSize: 1048576 (0x100000) SystemTime: 05/11/2012, 06:41:20.036527 UTC ServerStartTime: 05/10/2012, 09:56:03.345351 UTC SecurityBufferOffset: 128 (0x80) SecurityBufferLength: 120 (0x78) Reserved2: 0 (0x0)
The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.
SMB2: C SESSION SETUP (0x1) CSessionSetup: StructureSize: 25 (0x19) Flags: 0 (0x0) SecurityMode: 1 (0x1) Capabilities: 0x1 Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 74 (0x4A) PreviousSessionId: 0 (0x0) securityBlob:
The server processes the token received with GSS and gets a return code. The GSS return code indicates that an additional exchange is required to complete the authentication. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.
SMB2: R - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED SESSION SETUP (0x1), SessionFlags=0x0 SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: R SESSION SETUP (0x1),TID=0x0000, MID=0x0001, PID=0xFEFF, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) Status: 0xC0000016, Code = (22) STATUS_MORE_PROCESSING_REQUIRED, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_ERROR Command: SESSION SETUP (0x1) Credits: 1 (0x1) Flags: 0x1 NextCommand: 0 (0x0) MessageId: 1 (0x1) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) RSessionSetup: StructureSize: 9 (0x9) SessionFlags: 0x0 SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 349 (0x15D)
The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.
SMB2: C SESSION SETUP (0x1) SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0002, PID=0xFEFF, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) ChannelSequence: (0x0) - (SMB 3.00 and later only) Reserved2: 0 (0x0) Command: SESSION SETUP (0x1) Credits: 10 (0xA) Flags: 0x0 NextCommand: 0 (0x0) MessageId: 2 (0x2) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) SMB2: C SESSION SETUP (0x1) CSessionSetup: StructureSize: 25 (0x19) Flags: 0 (0x0) SecurityMode: 1 (0x1) Capabilities: 0x1 Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 625 (0x271) PreviousSessionId: 0 (0x0)
The server processes the token received with GSS and gets a successful return code. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.
SMB2: R SESSION SETUP (0x1), SessionFlags=0x0 SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: R SESSION SETUP (0x1),TID=0x0000, MID=0x0002, PID=0xFEFF, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS Flags: 0x9 NextCommand: 0 (0x0) MessageId: 2 (0x2) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) RSessionSetup: StructureSize: 9 (0x9) SessionFlags: 0x0 SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 29 (0x1D)
The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SsessionId for the session, and a tree connect request containing the Unicode share name "\\smb2server\share".
SMB2: C TREE CONNECT (0x3), Path:\\smb2server\share SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: C TREE CONNECT (0x3),TID=0x0000, MID=0x0003, PID=0xFEFF, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) ChannelSequence: (0x0) - (SMB 3.00 and later only) Reserved2: 0 (0x0) Command: TREE CONNECT (0x3) Credits: 10 (0xA) Flags: 0x0 NextCommand: 0 (0x0) MessageId: 3 (0x3) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) CTreeConnect: StructureSize: 9 (0x9) Reserved: 0 (0x0) PathOffset: 72 (0x48) PathLength: 42 (0x2A) Path:\\smb2server\share
The server responds with an SMB2 TREE_CONNECT Response with the MessageId of 3, the CreditResponse of 5, the Status equal to STATUS_SUCCESS, the SessionId of 0x8040030000075, and TreeId set to the locally generated identifier 0x1.
SMB2: R TREE CONNECT (0x3), TID=0x1 SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: R TREE CONNECT (0x3),TID=0x0001, MID=0x0003, PID=0xFEFF, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS Flags: 0x1 NextCommand: 0 (0x0) MessageId: 3 (0x3) Reserved: 65279 (0xFEFF) TreeId: 1 (0x1) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) RTreeConnect: 0x1 StructureSize: 16 (0x10) ShareType: Disk (0x1) Reserved: 0 (0x0) ShareFlags: 2048 (0x800) Capabilities: 0x0 MaximalAccess: 0x1F01FF
The client sends a FSCTL_VALIDATE_NEGOTIATE_INFO IOCTL request with the Dialects array set to 0x202, 0x210, and 0x300, along with the expected server capabilities, security mode, and GUID, to protect against a downgrade attack.
SMB2: C IOCTL (0xb), FID=0xFFFFFFFFFFFFFFFF, FSCTL_VALIDATE_NEGOTIATE_INFO CIoCtl: StructureSize: 57 (0x39) Reserved: 0 (0x0) CtlCode: FSCTL_VALIDATE_NEGOTIATE_INFO FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF Persistent: 18446744073709551615 (0xFFFFFFFFFFFFFFFF) volatile: 18446744073709551615 (0xFFFFFFFFFFFFFFFF) InputOffset: 120 (0x78) InputCount: 30 (0x1E) MaxInputResponse: 0 (0x0) OutputOffset: 120 (0x78) OutputCount: 0 (0x0) MaxOutputResponse: 24 (0x18) Flags: (00000000000000000000000000000001) FSCTL request Reserved2: 0 (0x0) ValidateNegotiate: Capabilities: 0x7F Guid: {F62E4D0B-C685-E48B-40B6-D815CB56FF6E} SecurityMode: 1 (0x1) DialectCount: 3 (0x3) Dialects: Dialects: 514 (0x202) Dialects: 528 (0x210) Dialects: 768 (0x300)
The server determines that dialect, capabilities, security mode, and GUID are as expected, and sends an FSCTL_VALIDATE_NEGOTIATE_INFO IOCTL Response with the established values for the connection in an SMB2 IOCTL Response. Upon receiving and validating these, the client successfully validates the end-to-end negotiation and processing proceeds to using the session.
SMB2: R IOCTL (0xb), FSCTL_VALIDATE_NEGOTIATE_INFO SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: R IOCTL (0xb),TID=0x0001, MID=0x0004, PID=0x000D, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 1 (0x1) Status: 0x0, Code = (0) STATUS_SUCCESS, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS Flags: 0x9 NextCommand: 0 (0x0) MessageId: 4 (0x4) Reserved: 13 (0xD) TreeId: 1 (0x1) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) RIoCtl: StructureSize: 49 (0x31) Reserved: 0 (0x0) CtlCode: FSCTL_VALIDATE_NEGOTIATE_INFO FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF Persistent: 18446744073709551615 (0xFFFFFFFFFFFFFFFF) volatile: 18446744073709551615 (0xFFFFFFFFFFFFFFFF) InputOffset: 112 (0x70) InputCount: 0 (0x0) OutputOffset: 112 (0x70) OutputCount: 24 (0x18) Flags: 0 (0x0) Reserved2: 0 (0x0) ValidateNegotiate: Capabilities: 0x7F Dialect: 768 (0x300)
To establish an alternative channel, the client sends an FSCTL_QUERY_NETWORK_INTERFACE_INFO IOCTL request to query the available network interface on the server.
SMB2: C IOCTL (0xb), FID=0xFFFFFFFFFFFFFFFF, FSCTL_QUERY_NETWORK_INTERFACE_INFO SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: C IOCTL (0xb),TID=0x0001, MID=0x0005, PID=0x000D, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 1 (0x1) ChannelSequence: (0x0) - (SMB 3.00 and later only) Reserved2: 0 (0x0) Command: IOCTL (0xb) Credits: 10 (0xA) Flags: 0x0 NextCommand: 0 (0x0) MessageId: 5 (0x5) Reserved: 13 (0xD) TreeId: 1 (0x1) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) CIoCtl: StructureSize: 57 (0x39) Reserved: 0 (0x0) CtlCode: FSCTL_QUERY_NETWORK_INTERFACE_INFO FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF InputOffset: 0 (0x0) InputCount: 0 (0x0) MaxInputResponse: 0 (0x0) OutputOffset: 0 (0x0) OutputCount: 0 (0x0) MaxOutputResponse: 1000 (0x3E8) Flags: (00000000000000000000000000000001) FSCTL request Reserved2: 0 (0x0)
The server sends a NETWORK_INTERFACE_INFO Response in an SMB2 IOCTL Response with the available network interfaces.
SMB2: R IOCTL (0xb), FSCTL_QUERY_NETWORK_INTERFACE_INFO RIoCtl: StructureSize: 49 (0x31) Reserved: 0 (0x0) CtlCode: FSCTL_QUERY_NETWORK_INTERFACE_INFO FileId: Persistent: 0xFFFFFFFFFFFFFFFF, Volatile: 0xFFFFFFFFFFFFFFFF InputOffset: 112 (0x70) InputCount: 0 (0x0) OutputOffset: 112 (0x70) OutputCount: 912 (0x390) Flags: 0 (0x0) Reserved2: 0 (0x0) InterfaceInfo: Next: 152 (0x98) IfIndex: 12 (0xC) Capability: 1 (0x1) RSSCapable: 1 (0x1) RDMACapable: 0 (0x0) Reserved: 0 (0x0) Reserved: 0 (0x0) LinkSpeed: 10000000000 (0x2540BE400) SockAddr: 172.25.220.21:0 Family: 2 (0x2) IPv4: 172.25.220.21:0 Port: 0 (0x0) Address: 172.25.220.21 Reserved: Binary Large Object (8 Bytes) EntryPadding: Binary Large Object (112 Bytes)
The client selects any one network interface pair to establish a new connection, and sends an SMB2 NEGOTIATE Request with dialect 0x300 in the Dialects array, and SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.
SMB2: C NEGOTIATE (0x0), ClientGUID={F62E4D0B-C685-E48B-40B6-D815CB56FF6E} SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: C NEGOTIATE (0x0),TID=0x0000, MID=0x0000, PID=0xFEFF, SID=0x0000 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) ChannelSequence: (0x0) - (SMB 3.00 and later only) Reserved2: 0 (0x0) Command: NEGOTIATE (0x0) Credits: 10 (0xA) Flags: 0x0 NextCommand: 0 (0x0) MessageId: 0 (0x0) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 0 (0x0) Signature: Binary Large Object (16 Bytes) CNegotiate: StructureSize: 36 (0x24) DialectCount: 3 (0x3) SecurityMode: 1 (0x1) Reserved: 0 (0x0) Capabilities: 0x3F ClientGuid: {F62E4D0B-C685-E48B-40B6-D815CB56FF6E} ClientStartTime: No Time Specified (0) Dialects: Dialects: 514 (0x202) Dialects: 528 (0x210) Dialects: 768 (0x300)
The server responds with an SMB2 NEGOTIATE Response with dialect 0x300 in the DialectRevision, and SMB2_GLOBAL_CAP_MULTI_CHANNEL(0x00000008) bit set in Capabilities.
SMB2: R NEGOTIATE (0x0), ServerGUID={1B005379-8063-F0B6-4907-4957998700A1} RNegotiate: StructureSize: 65 (0x41) SecurityMode: 1 (0x1) DialectRevision: (0x300) - SMB 3.0 dialect revision number. Reserved: 0 (0x0) ServerGuid: {1B005379-8063-F0B6-4907-4957998700A1} Capabilities: 0x3F MaxTransactSize: 1048576 (0x100000) MaxReadSize: 1048576 (0x100000) MaxWriteSize: 1048576 (0x100000) SystemTime: 05/11/2012, 06:41:49.996099 UTC ServerStartTime: 05/10/2012, 09:56:03.345351 UTC SecurityBufferOffset: 128 (0x80) SecurityBufferLength: 120 (0x78) Reserved2: 0 (0x0)
The client sends an SMB2 SESSION_SETUP Request with SMB2_SESSION_FLAG_BINDING set in the Flags field and previous channel/session SessionId (0x4040104000001) set in the Header, PreviousSessionId field set to 0, and sign the message using Session.SigningKey derived from AES-128-CMAC. Because the request and response are signed, the client does not need to revalidate the negotiation.
SMB2: C SESSION SETUP (0x1) SMBIdByte: 254 (0xFE) SMBIdentifier: SMB SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0001, PID=0xFEFF, SID=0x4000001 StructureSize: 64 (0x40) CreditCharge: 0 (0x0) ChannelSequence: (0x0) - (SMB 3.00 and later only) Reserved2: 0 (0x0) Command: SESSION SETUP (0x1) Credits: 10 (0xA) Flags: 0x8 NextCommand: 0 (0x0) MessageId: 1 (0x1) Reserved: 65279 (0xFEFF) TreeId: 0 (0x0) SessionId: 1130302315429889 (0x4040104000001) Signature: Binary Large Object (16 Bytes) CSessionSetup: StructureSize: 25 (0x19) Flags: 1 (0x1) SessionBind: (.......1) bind this connection to an existing session (specified in PreviousSessionId) Reserved: (0000000.) Reserved SecurityMode: 1 (0x1) Capabilities: 0x1 Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 74 (0x4A) PreviousSessionId: 0 (0x0)
The server processes the token received with GSS and gets a return code. The GSS return code indicates that an additional exchange is required to complete the authentication. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.
SMB2: R - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED SESSION SETUP (0x1), SessionFlags=0x0 RSessionSetup: StructureSize: 9 (0x9) SessionFlags: 0x0 GU: (...............0) NOT a guest user NU: (..............0.) NOT a NULL user Reserved_bits2_15: (00000000000000..) Reserved SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 349 (0x15D)
The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the response.
SMB2: C SESSION SETUP (0x1) CSessionSetup: StructureSize: 25 (0x19) Flags: 1 (0x1) SessionBind: (.......1) bind this connection to an existing session (specified in PreviousSessionId) Reserved: (0000000.) Reserved SecurityMode: 1 (0x1) Capabilities: 0x1 Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 625 (0x271) PreviousSessionId: 0 (0x0)
The server processes the token received with GSS and gets a successful return code. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.
SMB2: R SESSION SETUP (0x1), SessionFlags=0x0 SMBIdByte: 254 (0xFE) RSessionSetup: StructureSize: 9 (0x9) SessionFlags: 0x0 GU: (...............0) NOT a guest user NU: (..............0.) NOT a NULL user Reserved_bits2_15: (00000000000000..) Reserved SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 29 (0x1D) securityBlob:
An alternate channel has been established for the session.