2.1.2.3.1 File Access Services
The File Access Services section describes the steps that the file access services protocols ([MS-FASOD]) undertake to support authentication.
The core protocols of the file access services are:
Server Message Block (SMB) Protocol [MS-SMB]
Server Message Block (SMB) Protocol Versions 2 and 3 [MS-SMB2]
To enforce access controls over files and resources on a file server the server acquires the validated identity of the requestor, as illustrated in the following diagram. The file access services protocols depend on Authentication Services to support several authentication protocols and depend on the ability to negotiate the authentication protocol between the client and server.
In addition to the authentication support that CIFS provides, SMB provides new authentication methods that include Kerberos. The SMB Negotiate and SMB Session Setup commands have been enhanced to carry opaque security tokens to support mechanisms that are compatible with the Generic Security Services (GSS) [RFC2743].
Figure 8: Authentication protocol standards in the enterprise environment
The preceding diagram shows that network traffic conforms to the file access services protocols that are used between the file system client and the file system server. The file access services protocols that are used between file access client and server carry authentication protocol messages as opaque payloads in their protocol messages.
SMB and SMB2 rely on the Simple and Protected Generic Security Service Application Programming Interface Negotiation Mechanism (SPNEGO) ([RFC4178], [MS-SPNG], and [MS-NEGOEX]) for authentication, which in turn relies on Kerberos [MS-KILE] and on the NTLM [MS-NLMP] challenge/response authentication protocol. If the agreed-on authentication protocol between client and server is NTLM [MS-NLMP], the file server authenticates the user credentials provided by the file access services client using the APDS protocol [MS-APDS] to the DC that contains the user account information. Otherwise, if the authentication protocol is Kerberos [MS-KILE], the file server authenticates the user identity by validating the service ticket to the SMB service submitted by the file system client.