none
Session Deletion after NTLM Authentication RRS feed

  • Question

  • I'm having a problem with SMB2 sessions after (seemingly) correctly authenticating with my Windows 7 PC via NTLM.

    The SESSION_SETUP four-way "handshake" seems to work correctly, with the server (my PC, accessed at 127.0.0.1) returning an accept-completed  response at the end. However, whenever I then subsequently attempt any action with the same session ID, I get an error of STATUS_USER_SESSION_DELETED; the session does not show up in the output of `net session` either. However, if I add NEGOTIATE_IDENTIFY to the NTLM flags, the session seems to be created succesfully, shows up in `net session`, however the error STATUS_BAD_IMPERSONATION_LEVEL then gets returned.

    I'm not sure how to resolve the problem from here, a packet capture of the exchange can be found at the following link:

    http://dl.dropbox.com/u/151478/smb2.pcap

    The User/Password used for NTLM authentication is Matt-Laptop\SMBTest, testing.


    • Edited by matwilko Tuesday, February 7, 2012 2:47 PM
    Tuesday, February 7, 2012 2:46 PM

Answers

  • After working with Tarun, I determined that the problem was that I was setting the "Previous Session ID" field in the second SESSION_SETUP handshake packet. This caused the server to attempt to re-authenticate a non-existant session, which led to the error described.
    • Marked as answer by matwilko Thursday, February 16, 2012 3:32 PM
    Thursday, February 16, 2012 3:32 PM

All replies

  • Hi matwilko,

    Thanks for posting on the MSDN Forum. One of our support engineers will respond soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Tuesday, February 7, 2012 7:34 PM
  • Hi Matwilko

    The purpose of this forum is to support the Open Specifications documentation. You can read about the Microsoft Open Specifications program @ http://www.microsoft.com/openspecifications/en/us/default.aspx

    The library of Open Specification documents is located here, http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx

    As you are using loopback address (127.0.0.1), your question is not an interoperability issue and does not fall under our scope.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, February 7, 2012 10:35 PM
  • Apologies, I was under the impression that SMB2 was covered under the Open Specifications program. Regarding your other point, about it being an interoperability issue, I am in the process of developing a library to implement SMB2, thus I believe this is an interoperability issue despite the use of the loopback address (how is it much different than connecting to a different machine over the network?)

    If you could direct me to the appropriate forum to post my problem, that would be most appreciated!

    Thanks,
    Matt

    Tuesday, February 7, 2012 10:46 PM
  • Hi Matwilko

    Thanks for the update. Can you please update me on your testing environment, the machine you are using to test SMB2 library and connecting as loopback is windows machine or non-windows ? Also, are you facing this issue while connecting to nomal shares instead of \ipc$ ? 

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, February 8, 2012 1:48 AM
  • Thanks for getting back to me Tarun,

    The library is a student project, so unfortunately there's no elaborate testing environment to speak of! I'm attempting to develop it from the [MS-SMB2] spec in C#.

    The machine I'm testing it on is also the development machine (I only have limited resources!), which runs Windows 7 Professional SP1. I haven't been able to test against a truly networked machine, i.e. non-loopbacked, as of yet. The issue occurs on attempting to perform a connection to any share, or attempting to send an SMB2_LOGOFF message. (I assume this would occur for any other type of message beyond negotiate/sessionsetup, but I haven't tried yet)

    I'm working under the assumption that I've missed some required step or information in the NTLM authentication procedure vital to SMB2's functioning, but I don't know what else to try, other than to attempt to do NTLMv2 authentication rather than just NTLMv1 w/ESS, but I don't know if that is the cause/issue.

    Wednesday, February 8, 2012 2:00 AM
  • Thanks Matwilko for the additional information. Appreciate if you can send me mail at dochelp at microsoft dot com so that we can discuss the issue in detail and troubleshoot.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, February 8, 2012 7:31 AM
  • After working with Tarun, I determined that the problem was that I was setting the "Previous Session ID" field in the second SESSION_SETUP handshake packet. This caused the server to attempt to re-authenticate a non-existant session, which led to the error described.
    • Marked as answer by matwilko Thursday, February 16, 2012 3:32 PM
    Thursday, February 16, 2012 3:32 PM