3.2.5.3.2 Handling a Reauthentication

If the Status field in the SMB2 header of the response is not STATUS_SUCCESS and is not STATUS_MORE_PROCESSING_REQUIRED, the client MUST return the error code to the calling application that initiated the reauthentication request and processing is complete.

Otherwise, the client MUST process the Generic Security Service (GSS) token that is received in the SMB2 SESSION_SETUP response following the SMB2 header, described by SecurityBufferOffset and SecurityBufferLength. The client MUST use the configured GSS authentication protocol, as specified in [MS-SPNG] section 3.3.5 and [RFC4178] section 3.2, to obtain the next GSS output token for the authentication exchange. Based on the result from the GSS authentication protocol, one of the following actions will be taken:

If the GSS protocol indicates an error, the error MUST be returned to the calling application that initiated the reauthentication request and processing is complete.

If the GSS protocol returns success and the Status code of the SMB2 header of the response was STATUS_SUCCESS, reauthentication is complete. The client MUST return success to the calling application that initiated the reauthentication request.

If the GSS protocol returns success and the Status code of the SMB2 header of the response was STATUS_MORE_PROCESSING_REQUIRED, the client MUST send a subsequent session setup request to continue the reauthentication attempt. The client MUST construct an SMB2 SESSION_SETUP request following the syntax specified in section 2.2.5. The SMB2 header MUST be initialized as follows:

  • The Command field MUST be set to SMB2 SESSION_SETUP.

  • The MessageId field is set as specified in section 3.2.4.1.3.

  • The client MUST set the SessionId field in the SMB2 header of the new request to the SessionId received in the SMB2 header of the response.

  • The client MUST NOT regenerate Session.SessionKey. The client MUST NOT regenerate Session.FullSessionKey if it is not empty.

The SMB2 SESSION_SETUP request MUST be initialized as follows:

  • If RequireMessageSigning is TRUE, the client MUST set the SMB2_NEGOTIATE_SIGNING_REQUIRED bit in the SecurityMode field.

    If RequireMessageSigning is FALSE, the client MUST set the SMB2_NEGOTIATE_SIGNING_ENABLED bit in the SecurityMode field.

  • The client MUST set the Flags field to 0.

  • If the client supports the Distributed File System (DFS), the client MUST set the SMB2_GLOBAL_CAP_DFS bit in the Capabilities field. For more information about DFS, see [MSDFS].

  • The client MUST copy the GSS output token into the response. The client MUST set SecurityBufferOffset and SecurityBufferLength to describe the GSS output token.

This request MUST be sent to the server.