3.1.1.1 Service Ticket with the User and Device Claims

Prerequisites

The following are the additional prerequisites that are required for this variant, in addition to the common prerequisites described in section 3.1:

  • Enable Kerberos Flexible Authentication Secure Tunneling (FAST) on the client computer, as described in [MS-KILE] section 3.2.1.

  • Set the FAST-supported, Compound-identity-supported, and Claims-supported bit flags on the msDS-SupportedEncryptionTypes attribute of the krbtgt account. For details about the msDS-SupportedEncryptionTypes attribute, see [MS-KILE] section 2.2.7.

  • Set the Compound-identity-supported bit flags on the msDS-SupportedEncryptionTypes attribute of the file server computer account. For details about the msDS-SupportedEncryptionTypes attribute, see [MS-KILE] section 2.2.7.

Initial System State

  • The identity of the client computer account has been authenticated by the Authentication Services subsystem, as described in [MS-AUTHSOD] section 2.5.5.1, and the client computer has the TGT for the computer account.

  • The identity of the user has been authenticated by KDC and the file server, the identity of the file server has been authenticated by the client computer, as described in [MS-AUTHSOD] section 3.3.1, and the client computer has submitted the service ticket with the PAC containing group memberships, user, and device claims to access the intended file share.

  • The file server has obtained the PAC with the group memberships, user, and device claims from the client, and the SMB2 client (on the client computer) has obtained the sessionId as described in the Connecting to an SMB2 Share example in [MS-AUTHSOD] section 3.3.1.

  • The user who is running the SMB2 client application has not been authorized to the read the remote file.

  • The file server has obtained the user's access token (security context) as described in section 2.5.1.3.1.

Final System State

  • The user who is running the SMB2 client application has been authorized to read the contents of the remote file.

Sequence of Events

The following sequence diagram shows the process of reading from a file on a remote CBAC-aware SMB2 share that is configured with user and device claims.

Reading from a file on a remote CBAC-aware SMB2 share configured with user and device claims

Figure 18: Reading from a file on a remote CBAC-aware SMB2 share configured with user and device claims

  1. The client sends an SMB2 TREE_CONNECT request, (see [MS-SMB2] section 2.2.9) , with the sessionId for the session, and a tree connect request containing the Unicode share name "\\smb2server\ShareName".

  2. The server computer validates the request and verifies the access permissions on the requesting share, as described in [MS-SMB2] section 3.3.5.7. If the verification succeeds, it responds with an SMB2 TREE_CONNECT response, as described in [MS-SMB2]section 2.2.10.

  3. The client sends and SMB2 CREATE request (see [MS-SMB2] section 2.2.13) for the file "testfile.txt" with the appropriate access mask value (required bits for the read file operation) as described in [MS-SMB2] section 2.2.13.1.

  4. The server processes the request, as described [MS-SMB2] section 3.3.5.9, and makes the call to the underlying file system [MS-FSA] to verify the requesting user access rights by passing the user's access token, access rights, and other information. The file system processes the request, as described in [MS-FSA] section 2.1.5.1, and calls the access function of the authorization system to validate requesting access rights of the user. The authorization system runs the access check algorithm, as described in [MS-DTYP] section 2.5.3.2, to verify the requesting access rights of the user. If the verification succeeds, the authorization system returns SUCCESS, indicating that the user has been granted permission to read the requesting file.

    The file server constructs an SMB2 CREATE response (see [MS-SMB2] section 2.2.14) and responds to the client.

  5. The client sends an SMB2 READ request ([MS-SMB2] section 2.2.19) to read data from the file.

  6. The server validates the request ([MS-SMB2] section 3.3.5.12). If the validation is successful, it responds with an SMB2 READ response ([MS-SMB2] section 2.2.20) with the data read from the file. For more information, see [MS-SMB2] section 2.2.20.

  7. The client sends an SMB2 CLOSE request ([MS-SMB2] section 2.2.15) to close the file.

  8.  The server sends an SMB2 CLOSE response([MS-SMB2] section 2.2.16) indicating that the close operation was successful.