3.2.4.2.3 Authenticating the User

To establish a new session, the client MAY<137> either:

  • Pass the Connection.GSSNegotiateToken to the configured GSS authentication mechanism to obtain a GSS output token for the authentication protocol exchange, as specified in [MS-SPNG] section 3.3.5.2.

    OR

  • Choose to ignore the Connection.GSSNegotiateToken that is received from the server, and initiate a normal GSS sequence, as specified in [RFC4178] section 3.2.

In either case, it MUST call the GSS authentication protocol with the MutualAuth and Delegate options. In addition, the client MUST also set the GSS_C_FRAGMENT_TO_FIT parameter as specified in [MS-SPNG] section 3.3.1. The GSS-API output token is up to a size limit determined by local policy<138> when GSS_C_FRAGMENT_TO_FIT is set.

If the GSS authentication protocol returns an error, the share connect attempt MUST be aborted and the error MUST be returned to the higher-level application.

If the GSS authentication succeeds, the client MUST construct an SMB2 SESSION_SETUP Request, as specified in section 2.2.5. The SMB2 header MUST be initialized as follows:

  • The Command field MUST be set to SMB2 SESSION_SETUP.

  • The MessageId field is set as specified in section 3.2.4.1.3.

The SMB2 SESSION_SETUP Request MUST be initialized as follows:

  • If RequireMessageSigning is TRUE, the client MUST set the SMB2_NEGOTIATE_SIGNING_REQUIRED bit in the SecurityMode field.

    If RequireMessageSigning is FALSE, the client MUST set the SMB2_NEGOTIATE_SIGNING_ENABLED bit in the SecurityMode field.

  • The Flags field MUST be set to 0.

  • If the client supports the Distributed File System (DFS), as specified in [MS-DFSC], the SMB2_GLOBAL_CAP_DFS bit in the Capabilities field MUST be set.

  • If the client is attempting to reestablish a session, the client MUST set PreviousSessionId to its previous session identifier to allow the server to remove any session associated with this identifier. Otherwise, the client MUST set PreviousSessionId to 0.

  • The GSS output token is copied into the Buffer field in the request. The client MUST set SecurityBufferOffset and SecurityBufferLength to describe the location and length of the GSS output token in the request.

If the client implements the SMB 3.x dialect family and this authentication is for establishing an alternative channel for an existing Session, as specified in section 3.2.5.5, the client MUST also set the following values:

  • The SessionId field in the SMB2 header MUST be set to the Session.SessionId for the new channel being established.

  • The SMB2_SESSION_FLAG_BINDING bit MUST be set in the Flags field.

  • The PreviousSessionId field MUST be set to zero.

This request MUST be sent to the server.