[cifs-protocol] [REG: 112050861043432] When will clients/applications do a smb2 session reauth

Edgar Olougouna edgaro at microsoft.com
Tue May 8 23:09:24 MDT 2012 

Christian,

An application is any caller who uses the High-Layer Triggered Events described in the protocol document. On Windows, this could be the SMB2 redirector or a related component in the operating system, or a third-party application.
There is no documented Windows API to request re-authentication. Invocation of GSS InitializeSecurityContext() is done by the SMB client and not by the application. 
As mentioned in my previous communication, there is no hard requirement on the client side on when an application should re-authenticate a Valid session. 
Typical examples of re-authentication on Windows are:
-	An application knows that there is a change in one of the security group memberships, and it wants the session to be re-authenticated so that the new membership changes are re-evaluated.
-	An application initially authenticates with 2-part SPN and now wants to use a stronger 3-part SPN (<service class>/<host>:<port>/<service name>) for authentication.

Regards,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Tuesday, May 08, 2012 12:02 PM
To: Christian Ambach
Cc: Stefan (metze) Metzmacher; cifs-protocol at cifs.org; pfif at tridgell.net
Subject: [REG: 112050861043432] When will clients/applications do a smb2 session reauth

Christian,

I will follow-up via the new case number 112050861043432.

Thanks,
Edgar

-----Original Message-----
From: Christian Ambach [mailto:ambi at samba.org] 
Sent: Tuesday, May 08, 2012 8:25 AM
To: Edgar Olougouna
Cc: Stefan (metze) Metzmacher; cifs-protocol at cifs.org; pfif at tridgell.net
Subject: Re: [112042751520312] When will clients/applications do a smb2 session reauth

Edgar,

On 05/01/2012 11:46 PM, Edgar Olougouna wrote:
> [Question]
> "3.2.4.2.3.1 Application Requests Reauthenticating a User"
> is the related section in [MS-SMB2].
>
> What layers in the client use this feature?
> How can I trigger this?
>
> [Answer]
> Re-authentication on a Valid session is application-driven.
> For re-authentication on Expired session, see example.

[MS-SMB2] does not contain a crisp definition of what the term "application" refers to.

To us, the term "application" somehow suggests that there is an API that an application living in userland can trigger a re-authentication.

Or does the term "application" apply to some Windows internal software like winlogon.exe and there is no publicly available API?

Just want to make sure we get the term "application" right in this context. It would be beneficial for our testing to be able to trigger a re-authentication any time via an API.

Regards,
Christian

More information about the cifs-protocol mailing list