Network and Storage Protocols

Ontap9.3 - SMB Session Setup - Krb AP-REP Duplicate resp token as mechListMIC


Server: NetApp Ontap 9.3 Server

Protocol: SMB2 

Command: SMB2 Session Setup


We are seeing an issue with Netapp Ontap 9.3 server's Session Setup Response when using Kerberos Authentication, in the AP-REP response token, it is sending a duplicate SPNEGO Response token in the mechListMIC field instead of sending the MIC signature. Please refer the left side pane of the attached image for the buggy packet Vs right side for the correct one.

As a result, clients trying to parse and do MIC-verification will fail it as a defective token.


A similar issue was also seen with Windows 2000 Server.


So looks like NetApp also has to fix this.

The heimdal gssapi has provided a way to work around (and skip MIC Verification) by safely omiting this buggy spnego token, but the server has to send a OID flag "BUGGY SPNEGO" for clients to safe-omit this mic-verification.


Refer github diff at


File name: lib/gssapi/spnego/init_sec_context.c  

Look for the comment lines below:

/* ...unless its a windows 2000 server that sends the
* responseToken inside the mechListMIC too. We only
* accept this condition if would have been safe to omit
* anyway. */





Thank you for sharing your findings.

Are you experiencing it with any other Ontap version?