none
SMB 2.0 reauthentication issue RRS feed

  • Question

  • Hi,

    We're implementing the SMB 2.002 dialect. We're having some issues with reauthentication. Could you clarify some questions for us?

    1. Can I only reauthenticate after the session has expired (does this mean the same as kerberos service ticket expired)?

    2. Can I reauthenticate after the session has expired without receiving the NTSTATUS error - session expired?

    We're using Kerberos and GSS API to authenticate and we seem to be running issues after issues. Could you give us a sample wireshark of SMB 2.002 which uses kerberos?

    Session setup completes with no issues, and we even get GSS_COMPLETE from the GSS API, but session is closed on the server side (for now we're reauthenticating after getting the session expired response).

    Or we could upload ours and you can let us know where we're going wrong?

    Thanks and Regards,

    Thirumal Venkat

    Thursday, August 29, 2013 5:32 AM

Answers

  • Hello Thirumal,

       For SMB 2.002 dialect, an attempt to re-authenticate a valid session will result in server error STATUS_REQUEST_NOT_ACCEPTED. Expired session does mean expired security credentials i.e. Kerberos ticket.

    Also from reading SMB2 specification it seems an attempt to re-authenticate an already expired session using SESSION_SETUP should work for the dialect 2.002.

    Under normal use case scenarios, a client's request is what causes server to realize that session has expired and marks the session as expired sending STATUS_NETWORK_SESSION_EXPIRED to the client. It is not clear whether your tests are showing different results, please let us know if you have further questions.

    Just for your information if you are using SMB version >= 2.1, then you can re-authenticate when the session is still valid and also when the session has already expired without getting error STATUS_NETWORK_SESSION_EXPIRED.

     

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Thursday, September 5, 2013 2:04 PM
    Moderator

All replies

  • The wireshark capture can be found here: http://sdrv.ms/17mvSB6
    Thursday, August 29, 2013 5:37 AM
  • We figured out the issue. Our code was setting PreviousSessionId instead of setting it to zero. Probably the server thought we're reconnecting and as we did not perform tree connect on this session setup, the server reset our connection

    But we definitely need the first two questions answered.

    Thanks and Regards,

    Thirumal

    Thursday, August 29, 2013 7:57 AM
  • Hi Thirumal,

    Thank you for your question.  A colleague will contact you soon to investigate this issue.

    Regards,

    Mark Miller | Escalation Engineer | Microsoft Open Protocols Team

    Thursday, August 29, 2013 12:34 PM
  • Hello Thirumal, I am the engineer who will be working with you on this issue. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Thursday, August 29, 2013 4:16 PM
    Moderator
  • Hello Thirumal,

       For SMB 2.002 dialect, an attempt to re-authenticate a valid session will result in server error STATUS_REQUEST_NOT_ACCEPTED. Expired session does mean expired security credentials i.e. Kerberos ticket.

    Also from reading SMB2 specification it seems an attempt to re-authenticate an already expired session using SESSION_SETUP should work for the dialect 2.002.

    Under normal use case scenarios, a client's request is what causes server to realize that session has expired and marks the session as expired sending STATUS_NETWORK_SESSION_EXPIRED to the client. It is not clear whether your tests are showing different results, please let us know if you have further questions.

    Just for your information if you are using SMB version >= 2.1, then you can re-authenticate when the session is still valid and also when the session has already expired without getting error STATUS_NETWORK_SESSION_EXPIRED.

     

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Thursday, September 5, 2013 2:04 PM
    Moderator
  • Hello Thirumal,

                           Not sure whether your tests are showing different results from what I have posted above. Perhaps you need more time to look into this or you may already have resolved the issue from the information provided. We  will not post further messages in this thread unless you post follow up questions. If the issue is a separate one please post a new question.

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Monday, September 16, 2013 1:59 PM
    Moderator