none
SMB2 Session Setup without Snego RRS feed

  • Question

  • I'm starting to update our SMB server to the later SMB2/3 protocols and I've stumbled into something odd. My server responds to a win 7 client's SMB negprot with an SMB2_NEGOTIATE response selecting the 0202 dialect. The security buffer contains the NTLMSSP OID (and only NTLMSSP) wrapped in SNEGO as is normally done for CIFS with extended security negotiated. The first SMB2_SESSION_SETUP request sent from win 7 contains an NTLMSSP negotiate exchange BUT it is not wrapped in SNEGO as expected by the server. Is this normal? Is there something that may be missing from the SMB2_NEGOTIATE response that is causing win 7 (and vista) to behave this way?

    regards,

    Jim

    Tuesday, May 6, 2014 5:02 PM

Answers

  • Ok. I figured this out. Basically my win 7 client was set to "require signing". I have it disabled in my server since I haven't implemented SMB2 signing yet. Basically, in this case, if the SMB2 negprot response doesn't indicate signing is enabled on the server, it cause the win 7 client to issue the subsequent session setup request without the SNEGO wrapping. That is the NTLMSSP exchange is not wrapped in SNEGO. Seems like a win 7 oddity or bug. But maybe its as designed.

    Friday, May 9, 2014 5:10 PM

All replies

  • Hello Jim -

    Thank you for contacting Microsoft Support. A support engineer will be in touch to assist further.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, May 6, 2014 6:32 PM
  • Hi Jim:

    I'll help you with this issue. Can you please send a network trace showing this behavior to my attention at dochelp at Microsoft dot com?


    Regards, Obaid Farooqi

    Wednesday, May 7, 2014 2:17 PM
    Owner
  • Hi Jim:

    I'll help you with this issue. Can you please send a network trace showing this behavior to my attention at dochelp at Microsoft dot com?


    Regards, Obaid Farooqi

    I can do that, but I am little fuzzy on how to do that. I can also email it to you directly if you prefer. 

    In the "older" CIFS protocol, SNEGO is negotiated as part of the Capabilities extended security flag. No such flag exists under SMB2/3 (as near as I can tell) and I would imagine that it is assumed that the security blobs are always using SNEGO. I don't see anything different in my server's SMB2_NEGOTIATE response sent back to Win7 that is different from what VISTA (for example) returns to Win 7. In my case, the first SMB2_SESSION_SETUP request sent from Win 7 to my server containing the NTLMSSP NEGOTIATE request is not wrapped in the SNEGO. My server expects it and rejects the request.

    Wednesday, May 7, 2014 4:56 PM
  • Ok. I figured this out. Basically my win 7 client was set to "require signing". I have it disabled in my server since I haven't implemented SMB2 signing yet. Basically, in this case, if the SMB2 negprot response doesn't indicate signing is enabled on the server, it cause the win 7 client to issue the subsequent session setup request without the SNEGO wrapping. That is the NTLMSSP exchange is not wrapped in SNEGO. Seems like a win 7 oddity or bug. But maybe its as designed.

    Friday, May 9, 2014 5:10 PM
  • Hi Jim:

    You can send an email to dochelp at Microsoft dot com and attach the network capture to it. In the subject line, write "att: Obaid Farooq"


    Regards, Obaid Farooqi

    Sunday, May 11, 2014 2:54 PM
    Owner