[cifs-protocol] [112042751520312] When will clients/applications do a smb2 session reauth

Edgar Olougouna edgaro at microsoft.com
Tue May 1 15:46:56 MDT 2012 

Metze,

My colleague Tarun Chopra (in bcc) transferred me this case. See my answers [Answer] as follows. 

Note: In SMB 2.1, the server was changed to support re-authentication on a Valid session which has not expired.

[Question]
In what situations do clients do a (pro active) reauthentication without getting STATUS_NETWORK_SESSION_EXPIRED from the server?

[Answer]
On the client side, re-authentication normally occurs on Expired sessions, but implementations or applications may decide to re-authenticate Valid sessions if needed. There is no requirement on the client side. The requirement is that a SMB 2.1+ server MUST support re-authentication, as specified in MS-SMB2 Section 3.3.5.5.

[Question]
"3.2.4.2.3.1 Application Requests Reauthenticating a User"
is the related section in [MS-SMB2].

What layers in the client use this feature?
How can I trigger this?

[Answer] 
Re-authentication on a Valid session is application-driven. 
For re-authentication on Expired session, see example.

[Question]
Is the reauthentication only used with the same user account or also to switch a session to a different user (which is possible)?

[Answer]
The re-authentication is with the same user. The existing Session.SessionKey is retained.

3.3.5.5   Receiving an SMB2 SESSION_SETUP Request
3.3.5.5.3   Handling GSS-API Authentication
3.3.5.5.2   Reauthenticating an Existing Session
Session.State MUST be set to InProgress, and Session.SecurityContext set to NULL. Authentication is continued as specified in section 3.3.5.5.3. Note that the existing Session.SessionKey will be retained.

Example for SMB 2.1 session re-authentication on an expired session
*********

Typically, during authentication or re-authentication, when the endtime is already passed and a call to AcceptSecurityContext is made, the application server’s Kerberos GSS call returns an error KRB_AP_ERR_TKT_EXPIRED, the SMB server returns STATUS_NETWORK_SESSION_EXPIRED. 

The client is responsible for renewing its tickets by exchanging Kerberos messages with the KDC. At renewal or issuance, the KDC will check the renew-till (initially derived from the MaxRenewAge Kerberos policy configuration), and update the endtime. 

The [MS-SMB2] Server. Session.ExpirationTime MUST be set to the expiration time returned by the GSS authentication subsystem. In case of Kerberos authentication, it would be the ticket’s endtime, which was derived from the MaxServiceTicketAge when the ticket was issued. 

Group Policy Management Console (gpmc.msc) can be used to configure those time periods for testing purpose (see Default Domain Policy/ Account Policies / Kerberos Policy).

NOTE: KDC configuration for Kerberos ticket lifetime

KILE implementation uses the LSAD for the configuration database. The KDC configuration for the ticket lifetime is documented in MS-KILE Section 3.3.1 and MS-LSAD 2.2.4.19. All applicable default values are documented in those sections, including:
-              MaxServiceTicketAge (default 600 minutes), 
-              MaxTicketAge (default 10 hours), 
-              MaxRenewAge (default 7 days). 
Please note that MaxTicketAge and MaxRenewAge apply to TGTs. MaxServiceTicketAge applies to TGSs and must be less than or equal to MaxTicketAge.

The [RFC4120] endtime is the upper bound on the expiration time for the ticket; that is when the current instance of the ticket expires. 
The [RFC4120] renew-till is enforced by the KDC and indicates the maximum endtime that may be included in a renewal. The renew-till can be thought of as the absolute expiration time for the ticket, including all renewals; that is the latest permissible value for an individual expiration time.

Thanks,
Edgar

-----Original Message-----
From: Tarun Chopra 
Sent: Friday, April 27, 2012 12:55 PM
To: Stefan (metze) Metzmacher
Cc: cifs-protocol at cifs.org; pfif at tridgell.net; Christian Ambach; MSSolve Case Email
Subject: RE:[112042751520312] When will clients/applications do a smb2 session reauth

[Sreekanth and dochelp to Bcc, Casemail to Cc] [Adding Case number in subject]

Hi Metz

I will be assisting you with this inquiry and the case number for follow up is : 112042751520312.

As stated in our specification, "dochelp at microsoft.com" should always be used to engage our team. Any other email alias like "dochelp at winse.microsoft.com" should not be used. We understand that some e-mail systems expand dochelp at microsoft.com to a fully qualified name, such as dochelp at winse.microsoft.com. However, the location of the dochelp at microsoft.com mailbox may move without notice resulting in a change of the fully qualified name. We thank you for bringing this to our attention and appreciate if you can please inform other team members to send mails directly to "dochelp at microsoft.com"

Thanks
Tarun Chopra.


-----Original Message-----
From: Sreekanth Nadendla
Sent: Friday, April 27, 2012 7:15 AM
To: Stefan (metze) Metzmacher; Interoperability Documentation Help
Cc: cifs-protocol at cifs.org; pfif at tridgell.net; Christian Ambach
Subject: RE: When will clients/applications do a smb2 session reauth

Hello  Stefan,
                      Thank you for your inquiry about file sharing protocols. One of the Open specifications team member will contact you soon.

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications


-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Friday, April 27, 2012 7:35 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org; pfif at tridgell.net; Christian Ambach
Subject: When will clients/applications do a smb2 session reauth

Hi,

with SMB 2.1 (and higher) it's possible to do a session re-authentication without getting a STATUS_NETWORK_SESSION_EXPIRED. With SMB 2.0 STATUS_REQUEST_NOT_ACCEPTED is returned.

In what situations do clients do a (pro active) reauthentication without getting STATUS_NETWORK_SESSION_EXPIRED from the server?

"3.2.4.2.3.1 Application Requests Reauthenticating a User"
is the related section in [MS-SMB2].

What layers in the client use this feature?
How can I trigger this?

Is the reauthentication only used with the same user account or also to switch a session to a different user (which is possible)?

BTW: is there a reason why <dochelp at winse.microsoft.com> doesn't work anymore?

metze






-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpmc_domain_policy_kerberos.jpg
Type: image/jpeg
Size: 51302 bytes
Desc: gpmc_domain_policy_kerberos.jpg
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120501/41e3babd/attachment-0001.jpg>

More information about the cifs-protocol mailing list