Share via


CIFS Kerberos Authentication

To authenticate, CIFS uses the standard procedures of RFC 2478 (GSS-API), which allow a client or server to call for authentication independently of the final choice of authentication method. For CIFS, the selected authentication method is either Kerberos or NTLM. By default, networked Windows 2000 or Windows XP platforms call for authentication using Kerberos.

For a Windows 2000 or Windows XP platform, both Kerberos and NTLM Security Support Provider (SSP) authentication components are loaded at startup. Microsoft applications do not authenticate inline but make a Security Support Provider Interface (SSPI) Negotiate call to request authentication. A Negotiate call selects the appropriate SSP component to handle the request. As a result, networked Windows 2000 and Windows XP platforms attempt to authenticate using the Kerberos SSP; standalone and older Windows NT platforms use NTLM. A Windows 2000 CIFS server, for example, implicitly uses Kerberos for authentication.

A CIFS client/server session negotiation uses two CIFS packet types (_NEGOTIATE and _SESSION_SETUP_ANDX) to exchange system capabilities and to authenticate. To negotiate a CIFS session, the client first approaches the server with a list of the CIFS dialects that the client can support. From this list, the server selects the best dialect to use, warns the client if user challenge-response authentication is required, and sends a challenge security blob. The format of the server security blob conforms to RFC 2478 (GSS-API).

The client gets a Kerberos ticket (for an MSFT implementation, via an SSPI call) and sends the server the ticket in an RFC 2478 GSS-API security blob of its own. The server responds in kind. The Kerberos procedure can require several blob exchanges before the server and client can both complete the authentication process.

For non-MSFT implementations, no convenient SSPI call is possible and the developer needs to be aware of the assumptions and coding conventions behind GSS-API interoperation. One assumption, for example, is that although GSS-API does not specify an authentication method, a Windows 2000 server is implicitly expecting the Kerberos method. One coding convention, for example, is that Windows 2000 and Windows XP do not recognize GSS-API service name formats, and the alternate full service principal name in the form sample/host.dom.com@REALM, must be used. For more information on GSS-API interoperation, see the topic SSPI/Kerberos Interoperability with GSSAPI on msdn.microsoft.com

To implement CIFS authentication, the reader should be familiar with RFC 2478 (GSS-API) and the Kerberos protocol itself as well as the CIFS packet documentation for _NEGOTIATE and _SESSION_SETUP_ANDX.

See Also

Royalty-Free CIFS Technical Reference License Agreement