3.3.5.5 Receiving an SMB2 SESSION_SETUP Request

  • Article

When the server receives a request with an SMB2 header with a Command value equal to SMB2 SESSION_SETUP, message handling proceeds as follows:

  1. If the server implements the SMB 3.x dialect family, Connection.Dialect does not belong to the SMB 3.x dialect family, EncryptData is TRUE, and RejectUnencryptedAccess is TRUE, the server MUST fail the request with STATUS_ACCESS_DENIED.

  2. If Connection.Dialect belongs to the SMB 3.x dialect family, EncryptData is TRUE, RejectUnencryptedAccess is TRUE, and Connection.ClientCapabilities does not include the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST fail the request with STATUS_ACCESS_DENIED.

  3. If SessionId in the SMB2 header of the request is zero, the server MUST process the authentication request as specified in section 3.3.5.5.1.

  4. If Connection.Dialect belongs to the SMB 3.x dialect family, IsMultiChannelCapable is TRUE, and the SMB2_SESSION_FLAG_BINDING bit is set in the Flags field of the request, the server MUST perform the following:

    • The server MUST look up the session in GlobalSessionTable using the SessionId from the SMB2 header. If the session is not found, the server MUST fail the session setup request with STATUS_USER_SESSION_DELETED. If a session is found, the server MUST do the following:

      • If Connection.Dialect is not the same as Session.Connection.Dialect, the server MUST fail the request with STATUS_INVALID_PARAMETER.

      • If the SMB2_FLAGS_SIGNED bit is not set in the Flags field in the header, the server MUST fail the request with error STATUS_INVALID_PARAMETER.

      • If Session.Connection.ClientGuid is not the same as Connection.ClientGuid, the server MAY fail the request with STATUS_USER_SESSION_DELETED.

      • If Session.State is InProgress, the server MUST fail the request with STATUS_REQUEST_NOT_ACCEPTED.

      • If Session.State is Expired, the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED.

      • If Session.IsAnonymous or Session.IsGuest is TRUE, the server MUST fail the request with STATUS_NOT_SUPPORTED.

      • If there is a session in Connection.SessionTable identified by the SessionId in the request, the server MUST fail the request with STATUS_REQUEST_NOT_ACCEPTED.

      • The server MUST verify the signature as specified in section 3.3.5.2.4, using the Session.SigningKey.

      • The server MUST obtain the security context from the GSS authentication subsystem, and it MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6, passing the security context as the input parameter. If the returned "src_name" does not match with the Session.Username, the server MUST fail the request with error code STATUS_NOT_SUPPORTED.

      • If Connection.Dialect is "3.1.1", the server MUST look up the PreauthSession in Connection.PreauthSessionTable using the SessionId from the SMB2 header. If the PreauthSession is not found, the server MUST construct a PreauthSession object, insert it into Connection.PreauthSessionTable, and continue processing the request. The PreauthSession object MUST be initialized as follows:

        • Set PreauthSession.PreauthIntegrityHashValue to Connection.PreauthIntegrityHashValue.

        • Set PreauthSession.SessionID as SessionId from the SMB2 header.

      • For each binding request after the first established Session, the server MUST check against the Session.SupportsNotifications with the incoming Connection.SupportsNotifications value; if the value differs from the Session.SupportsNotifications, then the server MUST reject the incoming client’s binding request, and fail the request with STATUS_INVALID_PARAMETER.

        Otherwise, it MUST continue processing the request.

        Otherwise, if the server implements the SMB 3.x dialect family, and Connection.Dialect is equal to "2.0.2" or "2.1" or IsMultiChannelCapable is FALSE, and SMB2_SESSION_FLAG_BINDING bit is set in the Flags field of the request, the server SHOULD<280> fail the session setup request with STATUS_REQUEST_NOT_ACCEPTED.

        Otherwise, the server MUST look up the session in Connection.SessionTable using the SessionId from the SMB2 header. If the session is not found, the server MUST fail the session setup request with STATUS_USER_SESSION_DELETED. If a session is found, proceed with the following steps.

  5. If Session.State is Expired, the server MUST process the session setup request as specified in section 3.3.5.5.2.

  6. If Session.State is Valid, the server SHOULD<281> process the session setup request as specified in section 3.3.5.5.2.

  7. The server MUST continue processing the request as specified in section 3.3.5.5.3.

The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common status codes returned by this operation include:

  • STATUS_LOGON_FAILURE

  • STATUS_INSUFFICIENT_RESOURCES

  • STATUS_SUCCESS

  • STATUS_MORE_PROCESSING_REQUIRED

  • STATUS_INVALID_PARAMETER

  • STATUS_USER_SESSION_DELETED

  • STATUS_REQUEST_NOT_ACCEPTED

  • STATUS_PASSWORD_EXPIRED

  • SEC_E_INVALID_TOKEN

  • SEC_E_NO_CREDENTIALS