3.3.5.4 SPNEGO Negotiation State

This state is used to negotiate the security scheme between the client and server. The TDS server processes the packet received according to the following rules.

  • If the packet received is a structurally valid SPNEGO [RFC4178] negotiation packet, the TDS server delegates processing of the security token embedded in the packet to the SPNEGO layer. The SPNEGO layer responds with one of three results, and the TDS server continues processing according to the response as follows:

    • Complete: The TDS server then sends the security token to the upper layer (typically an application that provides database management functions) for authorization. If the upper layer approves the security token, the TDS server returns the security token to the client within a LOGINACK message and immediately enters the "Logged In" state or enters the "Routing Completed" state if the server decides to route. If the upper layer rejects the security token, then a "Login failed" ERROR token is sent back to the client, the TDS server closes the connection, and the TDS server enters the "Final State" state.

    • Continue: The TDS server sends a SPNEGO [RFC4178] negotiation response to the client, embedding the new security token returned by SPNEGO as part of the Continue response. The server then waits for a message from the client and re-renters the SPNEGO negotiation state when such a packet is received.

    • Error: The server then MUST close the underlying transport connection, indicate an error to the upper layer, and enter the "Final State" state.

  • If the packet received is not a structurally valid SPNEGO [RFC4178] negotiation packet, the TDS server will send no response to the client. The TDS server MUST close the underlying transport connection, indicate an error to the upper layer, and enter the "Final State" state.