3.1 Reading from a File on Remote CBAC Aware SMB2 Share

This scenario demonstrates the use cases described in sections 2.5.1.1.5 and 2.5.1.3.1. The client and server can negotiate each other by using the Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO): Microsoft Extension (as described in [MS-SPNG]) to select the agreed authentication protocol, as described in [MS-AUTHSOD] and [MS-SPNG].

Based on the agreed authentication protocol, this scenario has the following variants:

  • Kerberos Protocol Extensions, as specified in [MS-KILE] and [MS-PKCA]

  • NT LAN Manager Authentication Protocol, as specified in [MS-NLMP]

If the agreed authentication protocol is Kerberos, this scenario in turn has the following subvariants:

  • Client has obtained a service ticket for file service from the Key Distribution Center (KDC) with user and device claims.

  • Client has obtained a service ticket for file service from the KDC without the user claims.

The following are the common prerequisites of this scenario.

Common Prerequisites

  • The client computer and server computer are joined to the same Active Directory domain.

  • The file server and file resource manager roles have been configured on the server computer.

  • The required user accounts and associated group memberships have been configured on an account database. For more information, see [MS-ADOD].

  • Created claim types, resource file properties, and central access rules (CARs) are configured on the domain controller and then added to the central access policies (CAPs) using the Active Directory Administrative Center.

  • The intended central access policies (CAPs) have been targeted to the file server computer using the Group Policy Management Console, and the CAPs to the required file shares have been enabled.

  • The required association of claims for the user and computer accounts have been set.

  • Classification rules have been pushed onto the file server through the Lightweight Directory Access Protocol (LDAP) File Classification Infrastructure structures, as specified in [MS-FCIADS].

  • File share(s) have been created on the server computer and the appropriate shared permissions configured.

  • The value of the ClaimsCompIdFASTSupport ADM variable on the KDC has been configured to enable claims, compound identity, and Flexible Authentication Secure Tunneling (FAST), as specified in [MS-KILE] section 3.3.1.