220.127.116.11.3 Authenticating the User
To establish a new session, the client MAY<127> either:
Choose to ignore the Connection.GSSNegotiateToken that is received from the server, and initiate a normal GSS sequence, as specified in [RFC4178] section 3.2.
In either case, it MUST call the GSS authentication protocol with the MutualAuth and Delegate options. In addition, the client MUST also set the GSS_C_FRAGMENT_TO_FIT parameter as specified in [MS-SPNG] section 3.3.1. The GSS-API output token is up to a size limit determined by local policy<128> when GSS_C_FRAGMENT_TO_FIT is set.
If the GSS authentication protocol returns an error, the share connect attempt MUST be aborted and the error MUST be returned to the higher-level application.
The Command field MUST be set to SMB2 SESSION_SETUP.
The MessageId field is set as specified in section 18.104.22.168.3.
The SMB2 SESSION_SETUP Request MUST be initialized as follows:
If RequireMessageSigning is TRUE, the client MUST set the SMB2_NEGOTIATE_SIGNING_REQUIRED bit in the SecurityMode field.
If RequireMessageSigning is FALSE, the client MUST set the SMB2_NEGOTIATE_SIGNING_ENABLED bit in the SecurityMode field.
The Flags field MUST be set to 0.
If the client is attempting to reestablish a session, the client MUST set PreviousSessionId to its previous session identifier to allow the server to remove any session associated with this identifier. Otherwise, the client MUST set PreviousSessionId to 0.
The GSS output token is copied into the Buffer field in the request. The client MUST set SecurityBufferOffset and SecurityBufferLength to describe the location and length of the GSS output token in the request.
If the client implements the SMB 3.x dialect family and this authentication is for establishing an alternative channel for an existing Session, as specified in section 22.214.171.124, the client MUST also set the following values:
The SessionId field in the SMB2 header MUST be set to the Session.SessionId for the new channel being established.
The SMB2_SESSION_FLAG_BINDING bit MUST be set in the Flags field.
The PreviousSessionId field MUST be set to zero.
This request MUST be sent to the server.