3.2.5.2 Receiving an SMB_COM_NEGOTIATE Response

If the Status field of the response does not contain STATUS_SUCCESS, or if the server refused the SMB dialects offered by the client, the client MUST propagate the error to the application that initiated the SMB connection. In either case, protocol negotiation has failed and the SMB connection SHOULD be closed.

Otherwise, protocol negotiation has succeeded and the SMB connection has been established. Processing of the SMB_COM_NEGOTIATE Response (section 2.2.4.52.2) proceeds as follows:

Storing the selected dialect

The selected dialect MUST be retrieved and stored as described in section 3.2.4.2.2.

Storing authentication settings

The server's access control level is indicated by the NEGOTIATE_USER_SECURITY (0x01) bit of the SecurityMode field in the SMB_COM_NEGOTIATE Response. If this bit is clear (0), Client.Connection.ShareLevelAccessControl (which was initialized to FALSE in section 3.2.3) MUST be set to TRUE.

Support for challenge/response authentication is indicated by the NEGOTIATE_ENCRYPT_PASSWORDS (0x02) bit of the SecurityMode field in the SMB_COM_NEGOTIATE Response. If this bit is set (1), Client.Connection.ServerChallengeResponse (which was initialized to FALSE in section 3.2.3) MUST be set to TRUE.

Determining the server signing mode

The server response indicates whether the server has message signing enabled and, if so, whether or not message signing is expected:

  • If the server supports only Share Level Access Control or plaintext passwords, signing is not available and Client.Connection.ServerSigningState MUST be Disabled.

  • If NEGOTIATE_SECURITY_SIGNATURES_ENABLED bit in the SecurityMode field of the SMB_COM_NEGOTIATE response is not set, Client.Connection.ServerSigningState MUST be Disabled.

  • If the NEGOTIATE_SECURITY_SIGNATURES_ENABLED bit in the SecurityMode field of the SMB_COM_NEGOTIATE Response is set, but NEGOTIATE_SECURITY_SIGNATURES_REQUIRED is not set, the client MUST set Client.Connection.ServerSigningState to Enabled.

  • If both the NEGOTIATE_SECURITY_SIGNATURES_ENABLED and NEGOTIATE_SECURITY_SIGNATURES_REQUIRED bits in the SecurityMode field of the SMB_COM_NEGOTIATE response are set, the client MUST set Client.Connection.ServerSigningState to Required.

Once Client.Connection.ServerSigningState is set, the client MUST consult the table under "Signing" in  User Authentication (section 3.2.4.2.4) to determine whether or not signing is blocked. If signing is blocked, the connection SHOULD be terminated by disconnecting the underlying transport and tearing down any state associated with the connection.

Storing server parameters

The client MUST store the Capabilities returned in the  SMB_COM_NEGOTIATE Response in Client.Connection.ServerCapabilities.

The client MUST set Client.Connection.ServerSessionKey to the value received in the SessionKey field of the SMB_COM_NEGOTIATE Response.

The client MUST set the Client.Connection.NTLMChallenge to the value returned in the Challenge field of the SMB_COM_NEGOTIATE server response. This value is used for all future challenge/response authentication operations performed on the connection.

The client MUST set Client.Connection.ServerMaxBufferSize to the value received in the MaxBufferSize field of the negotiate response.

The client MUST assign the minimum of Client.Connection.MaxMpxCount and the MaxMpxCount field to Client.Connection.MaxMpxCount.

If the SMB_COM_NEGOTIATE Response is being processed as part of a connect attempt, the client continues to user authentication, as specified in section 3.2.4.2.4. The only other options are SMB_COM_ECHO (section 2.2.4.39) or termination of the connection.