3.2.5.3.3 Handling Session Binding

The processing in this section is only applicable to a client that implements the SMB 3.x dialect family.

If the Status field in the SMB2 header of the response is not STATUS_SUCCESS and is not STATUS_MORE_PROCESSING_REQUIRED, the client MUST return the error code to the caller that initiated the session binding request and processing is complete.

If SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response, the client SHOULD<188> return STATUS_INVALID_NETWORK_RESPONSE to the caller.

Otherwise, the client MUST process the Generic Security Service (GSS) token that is received in the SMB2 SESSION_SETUP response following the SMB2 header, specified by the SecurityBufferOffset and SecurityBufferLength fields. The client MUST use the configured GSS authentication protocol, as specified in [MS-SPNG] section 3.3.5 and [RFC4178] section 3.2, to obtain the next GSS output token for the authentication exchange. Based on the result from the GSS authentication protocol, one of the following actions will be taken:

If the GSS protocol indicates an error, the error MUST be returned to the caller that initiated the session binding request and processing is complete.

If the GSS protocol returns success and the Status code of the SMB2 header of the response was STATUS_SUCCESS, session binding is complete. The client MUST process the request as follows:

  • The client MUST ignore the SMB2_SESSION_FLAG_ENCRYPT_DATA bit in the SessionFlags field of the SMB2 SESSION_SETUP Response.

  • If Connection.Dialect is "3.1.1", the client MUST generate a hash using the Connection.PreauthIntegrityHashId algorithm on the string constructed by concatenating Session.PreauthIntegrityHashValue and the session setup request message retrieved from the Connection.OutstandingRequests. The client MUST set Session.PreauthIntegrityHashValue to the hash value generated above.

  • The client MUST insert a new Channel entry in Session.ChannelList with the following values set:

    • Channel.SigningKey: MUST be set to a new signing key generated as specified in section 3.1.4.2, and passing the following inputs:

      • The first 16 bytes of the cryptographic key queried from the GSS protocol for this authenticated context, as the key derivation key. If the cryptographic key is less than 16 bytes, it is right-padded with zero bytes. For information about how this key is calculated for Kerberos authentication using Generic Security Service Application Programming Interface (GSS-API), see [MS-KILE] section 3.1.1.2. For information about how this key is calculated for NTLM authentication using GSS-API, see [MS-NLMP] section 3.1.5.1.

      • The case-sensitive ASCII string "SMB2AESCMAC" as the label.

      • The label buffer size in bytes, including the terminating null character. The size of "SMB2AESCMAC" is 12.

      • The case-sensitive ASCII string "SmbSign" as context for the algorithm.

      • The context buffer size in bytes, including the terminating null character. The size of "SmbSign" is 8.

    • Channel.Connection: MUST be set to the Connection on which this response is received.

If the GSS protocol returns success and the Status code of the SMB2 header of the response was STATUS_MORE_PROCESSING_REQUIRED, the client MUST send a subsequent session setup request to continue the reauthentication attempt. The client MUST construct an SMB2 SESSION_SETUP request following the syntax specified in section 2.2.5. The SMB2 header MUST be initialized as follows:

  • The Command field MUST be set to SMB2 SESSION_SETUP.

  • The MessageId field is set as specified in section 3.2.4.1.3.

  • The client MUST set the SessionId field in the SMB2 header of the new request to the SessionId received in the SMB2 header of the response.

  • The client MUST NOT regenerate Session.SessionKey. The client MUST NOT regenerate Session.FullSessionKey if it is not empty.

The SMB2 SESSION_SETUP request MUST be initialized as follows:

  • If RequireMessageSigning is TRUE, the client MUST set the SMB2_NEGOTIATE_SIGNING_REQUIRED bit in the SecurityMode field.

    If RequireMessageSigning is FALSE, the client MUST set the SMB2_NEGOTIATE_SIGNING_ENABLED bit in the SecurityMode field.

  • The client MUST set the Flags field to zero.

  • If the client supports the Distributed File System (DFS), the client MUST set the SMB2_GLOBAL_CAP_DFS bit in the Capabilities field. For more information about DFS, see [MSDFS].

  • The client MUST copy the GSS output token into the response. The client MUST set SecurityBufferOffset and SecurityBufferLength to describe the GSS output token.

    • The SessionId field in the SMB2 header MUST be set to the Session.SessionId for the new channel being established.

    • The SMB2_SESSION_FLAG_BINDING bit MUST be set in the Flags field.

If Connection.Dialect is "3.1.1", the client MUST update its Session.PreauthIntegrityHashValue as follows:

  • The client MUST generate a hash using the Connection.PreauthIntegrityHashId algorithm on the string constructed by concatenating Session.PreauthIntegrityHashValue and the session setup request message retrieved from the Connection.OutstandingRequests. The client MUST set Session.PreauthIntegrityHashValue to the hash value generated above.

  • The client MUST generate a hash using the Connection.PreauthIntegrityHashId algorithm on the string constructed by concatenating Session.PreauthIntegrityHashValue and the session setup response message, including all bytes from the response's SMB2 header to the last byte received from the network. The client MUST set Session.PreauthIntegrityHashValue to the hash value generated above.

This request MUST be sent to the server.