3.2.4.2.4 User Authentication
Processing of this event is handled as specified in [MS-CIFS] section 3.2.4.2.4, with the following additions:
If Client.Connection.ShareLevelAccessControl is FALSE:
For each existing Connection to the server in Client.ConnectionTable[ServerName], the client MUST search the Client.Connection.SessionTable for a Session that corresponds to the user that establishes the connection to the share. The client MUST search for a valid Session by either a security context or a UID representing the user.
If a Connection with an existing Session for this user is found, then the client MUST reuse the Session and continue processing.
If none of the existing Connections to the server has a valid Session for this user, the client SHOULD<80> reuse one of the existing Connections identified or established in section 3.2.4.2.1. The client MUST establish a new Session for the user. The user's credentials, typically a username or principal and an associated password or password hash, MUST be stored in Client.Session.UserCredentials.
Signing
The client-global Client.MessageSigningPolicy MUST be compared against the selected Client.Connection.ServerSigningState, as per the following table. If the result is Blocked, the underlying transport connection SHOULD be closed.<81>
|
Client signing state |
Server signing state |
|||
|---|---|---|---|---|
|
|
Disabled |
Declined |
Enabled |
Required |
|
Disabled |
Message Unsigned |
Message Unsigned |
Message Unsigned |
Blocked |
|
Declined |
Message Unsigned |
Message Unsigned |
Message Unsigned |
Message Signed |
|
Enabled |
Message Unsigned |
Message Unsigned |
Message Signed |
Message Signed |
|
Required |
Blocked |
Message Signed |
Message Signed |
Message Signed |
If the client's Client.MessageSigningPolicy is "Required", the client MUST set the SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED bit in the Flags2 field of the SMB_COM_SESSION_SETUP_ANDX request SMB header to indicate that the client refuses to connect if signing is not used.
Extended Security
If Client.Connection.ServerCapabilities has the CAP_EXTENDED_SECURITY flag set (which indicates that the server supports extended security), then the client MUST construct an SMB_COM_SESSION_SETUP_ANDX request, as specified in section 2.2.4.6.1.
The client MUST do one of the following:
Pass the Client.Connection.GSSNegotiateToken (if valid) to the configured GSS authentication mechanism to obtain a GSS output token for the authentication protocol exchange.<82>
Choose to ignore the Client.Connection.GSSNegotiateToken received from the server, and give an empty input token to the configured GSS authentication protocol to obtain a GSS output token for the authentication protocol exchange.
In either case, the client MUST initiate the GSS authentication protocol via the GSS_Init_sec_context() interface, as specified in [RFC2743], passing in the input Client.Connection.GSSNegotiateToken as previously described, along with the credentials from Client.Session.UserCredentials. The client MUST set the MutualAuth and Delegate options which are specified in [MS-KILE] section 3.2.1.<83>
The client MUST then create an SMB_COM_SESSION_SETUP_ANDX request (section 2.2.4.6.1) message. The client MUST set CAP_EXTENDED_SECURITY in the Capabilities field, SMB_FLAGS2_EXTENDED_SECURITY in the SMB_Header.Flags2 field, the SMB_Data.Bytes.SecurityBlob field to the GSS output token generated by the GSS_Init_sec_context() interface, and the SMB_Parameters.Words.SecurityBlobLength to the length of the GSS output token.