DOCUMENT:Q103390 08-AUG-2001 [winnt] TITLE :Network Access Validation Algorithm and Example PRODUCT :Microsoft Windows NT PROD/VER:3.1 3.5 3.51 4.0 OPER/SYS: KEYWORDS:kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Advanced Server, version 3.1 - Microsoft Windows NT Server versions 3.5, 3.51, 4.0 ------------------------------------------------------------------------------- The following is a simplified algorithm that explains how Windows NT Advanced Server account validation is observed to function during network access. This discussion does not cover the internal workings of this process. With this information, you can predict Windows NT network logon behavior under deterministic conditions. Keep in mind when following this article that the local database is the ONLY database on a domain controller. But on the other server and all workstations the local database is different than the domain controller. NOTE: All references to Windows NT Advanced Server in this article also include Windows NT Server. Background Information ---------------------- When two Microsoft network systems communicate over a network, they use a high-level protocol called server message block (SMB). These commands are embedded within the transport protocols like NetBEUI or TCP/IP. When a client carries out a NET USE command, it sends out a "SMB Session Setup and X" frame. In Windows NT, the Session Setup SMB includes the user account, a function of the encrypted password and login domain. An Advanced Server will look at all of this information to determine if the client has permissions to complete the NET USE command. Algorithm --------- Windows NT workstation sends the following command to an Advanced Server: NET USE x: \\server\share The Windows NT client sends a Session Setup SMB that contains its Login Domain, User Account and Password. The Advanced Server checks the SMB specified Domain name If the domain is the Advanced Server's own Domain then It checks its own Domain SAM[Security Account Manager]database for a matching account. If it finds a matching account then The SMB password is compared to the Domain Database password. If the password matches then The Command Completed Successfully. If the password does NOT match then User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If it does NOT find the account in the domain SAM database then Guest permissions are tested. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled * See Note A. User is prompted for a password. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If the Domain specified in the SMB is one that the Advanced Server TRUSTS then The Advanced Server will do pass through authentication. The network logon request will be sent to an Advanced Server in the specified Trusted Domain. The Trusted Domain Advanced Server checks its own Domain database for a matching account. If it finds a matching account then It looks to see if the Account is a Local or Global Account. If the Account is Local then Guest permissions on the Original Server are tested. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled * See Note A. User is prompted for a password. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If the Account is Global The SMB password is compared to the Domain Database password. If the password matches then The Command Completed Successfully. * See Note B. If the password does NOT match then User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If it does NOT find the account in the Trusted domain database then Guest permissions are tested on the ORIGINAL Advanced Server -NOT the Trusted Advanced Server. * See Note C. If the Guest account is Enabled User will have original server guest access. The Command Completed Successfully. If the Guest account is Disabled * See Note A. User is prompted for a password. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If the Domain specified in the SMB is UNKNOWN by the Advanced Server. [A Domain was specified but it was not recognized by the Server as a Trusted Domain or its own.] It will check its own Domain Account Database for a matching account If the Advanced Server finds a matching account then The SMB password is compared to the Domain Database password. If the password matches then The Command Completed Successfully. If the password does NOT match then The User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If it does NOT find the account in the domain database then Guest permissions are tested. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled System error 1326 has occurred. Logon failure: unknown user name or bad password. End If the Domain specified in the SMB is NULL [None specified] then The Advanced Server will treat this a local network logon. It will check for a matching account in its own SAM Database. If it finds a matching account then The SMB password is compared to the SAM Database password. If the password matches then The Command Completed Successfully. If the password does NOT match then The User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If it does NOT find the account in the local SAM Database then The Advanced Server will Simultaneously ask another Advanced Server in each Domain that it Trusts if it has account that matches the SMB account. The first Trusted Advanced Server to reply is sent a request to perform pass through authentication of the client information. The Trusted Advanced Server will look in its own SAM Database. If an account that matches the SMB account is found then It looks to see if the Account is a Local or Global Account. If the Account is Local then Guest permissions on the original Server are tested. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled The user will be prompted for a password. No matter what password is entered, user will receive "Error 5: Access has been denied." End If the Account is Global The password specified in the SMB is compared to the SAM Database password. If the password matches then The Command Completed Successfully. If the password does NOT match then The User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If no Trusted Domains respond to request to identify the account then Guest permissions are tested on the Original Advanced Server - not the Trusted server. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled System error 1326 has occurred. Logon failure: unknown user name or bad password. End Notes ----- 1. At the point that the GUEST account is disabled and the user does not have an account, the Windows NT Server will still request a password. Although no password will meet its requirements, it will still request it. This is a security measure. It insures that an unauthorized user cannot tell the difference between a case where an account exists and when the account does not exist. Password prompting always occurs regardless if the account exists. 2. At this point, the following information is returned from the Trusted Domain in the Response: Domain SID, User ID, Global Groups Memberships, Logon Time, Logoff Time, KickOffTime, Full Name, Password LastSet, Password Can Change Flag, Password Must Change Flag, User Script, Profile Path, Home Directory and Bad Password Count. - Guest account only matters in the domain of the Server you are attempting to access. Guest accounts on trusted domains never come into play. - All steps above assume Global Account unless specified as Local Account. See the "Concepts and Planning Guide" for more information on account types. - The actual internal process is more complicated than the steps described above. - This does not cover the actual pass-through authentication mechanics. For more information, query on the following words in the Microsoft Knowledge Base: authentication and msv - This does not cover the password encryption process used in Windows NT. For more information, query on the following words in the Microsoft Knowledge Base: authentication and msv A function of the One Way Encrypted password is sent. - This article does not detail the internal workings of the MS Authentication Module. - The above model assumes that the Guest Account, when enabled, has no password. This is the default in Windows NT. If a guest account password is specified, it must match the users password that sends in the SMB. Example ------- The following are examples of this algorithm in action: I am logged on to my Windows NT workstation local computer. I am using the same account name and password that is in SCRATCH-DOMAIN Advanced Server Domain account database. When I carry out the NET USE \\SCRATCH (Domain Controller for SCRATCH-DOMAIN) command, the command completes successfully. When I carry out the NET USE \\NET (Controller that Trust SCRATCH-DOMAIN) command. I receive the error message "System error 1326 has occurred. Logon failure: unknown user name or bad password." My account \SCRATCH-DOMAIN\USER1 has permissions on \\NET? What is the problem? Configurations -------------- Windows NT workstation: -Login account: USER1 -Password: PSW1 -Login Domain: LOCAL1 Windows NT Advanced Server: -Server Name: NET -Advanced Server Domain: NET-DOMAIN -Trust: NET-DOMAIN Trust SCRATCH-DOMAIN (Therefore, accounts on SCRATCH-DOMAIN can be granted permissions in the NET- DOMAIN. - Domain Account Database for NET-DOMAIN does NOT contain an account for USER1. - Guest Account is DISABLED. Windows NT Advanced Server: -Server Name: SCRATCH -Advanced Server Domain: SCRATCH-DOMAIN -Domain Database contains account: USER1 -Domain Database contains password: PSW1 Answer ------ In this example, the Windows NT workstation is logged on to its local workstation domain--not the Advanced Server SCRATCH-DOMAIN where its domain account resides. NET USE x: \\NET\share - When the Windows NT workstation carried out the NET USE x: \\NET\share command, it sent out account = "USER1", password = "PSW1" and domain = "LOCAL1" in the Session Setup SMB. - The Advanced Server \\NET received the SMB and looked at the account name. - It looks in its local domain account database and does not find a match. - \\NET then looks at the SMB Domain name. - It does not trust "LOCAL1" so it does not check any of its trusted domains. - \\NET then checks its Guest account. - The guest account is disabled so the "System error 1326 has occurred. Logon failure: unknown user name or bad password." message is generated. NET USE x: \\SCRATCH\share - When the Windows NT workstation carried out the NET USE x: \\SCRATCH\share command, it sent out account = "USER1", password = "PSW1" and domain = "LOCAL1" in the Session Setup SMB. - The Advanced Server \\SCRATCH receives the SMB and looks at the account name. - It looks in its local domain account database and finds a match. - \\SCRATCH then compares the SMB password to the Domain account password. - The passwords match so the "Command Completes Successfully" message is generated. In these cases, the trust relationship does not come into play. If the Workstation had been logged on to the SCRATCH-DOMAIN, the NET USE x: \\NET\share command would have been successful. The real answer here is to have all workstations log on to an Advanced Server domain. In order to login, the user must specify their correct domain, account, and password. After this is done, all NET USE type commands will pass the correct domain, account, and password. Administrators should try and avoid duplicate accounts on both Windows NT workstations and multiple Advanced Server domains. USER: Workaround ---------------- There is one workaround that can be used in these cases. From the Windows NT workstation, you could carry out the following command NET USE X: \\NET\SHARE /USER:SCRATCH-DOMAIN\USER1 PSW1 where - \\NET = The computer name of the Advanced Server being accessed. - \SHARE = The share name. - /USER: command line parameter that lets you specify the domain, account and password that should be specified in the Session Setup SMB. - SCRATCH-DOMAIN = Domain name of the Advanced Server where the user account resides. - \USER1 = account to be validated against. - PSW1 = password that matches account on the domain. For more information, type the following at a Windows NT command prompt: NET USE /? NULL Domain Names ----------------- In addition to Windows for Workgroups 3.1, other Microsoft network clients also send NULL Domain Names in the Session Setup SMB [x73]. They will also exhibit the behavior described above in the example problem. The following is a table of how each client handles the Domain Name. MS Network Domain Name Client Specified --------------------------------------------- Windows for Workgroups 3.1 NULL Windows for Workgroups 3.11 Logon domain name. MS OS/2 LAN Manager 2.0, 2.1, and 2.2 NULL MS-DOS LAN Manager 2.0 NULL MS-DOS LAN Manager 2.1 & 2.2 Logon domain name. * See Note below. (Including Windows on MS-DOS) Windows NT 3.1 Logon domain name. Notes ----- The default domain name is specified in the LANMAN.INI file on the "DOMAIN =" line. This can be overridden by the /DOMAIN: switch with the NET LOGON command. There are typically two representations for "NULL" in the SMB: A zero-length domain name and a one-byte domain name consisting of the character '?'. The Windows NT SMB server catches the '?' and translates it to NULL before passing it to the local security authority (LSA). Troubleshooting --------------- A good tip for troubleshooting network access problems is to enable auditing by doing the following: 1. In the User Manager for Domains window, choose Audit from the Policies menu. 2. Select the Audit These Events button. 3. Select the Logon and Logoff Success and Failure options. Now, anytime a network user access this server remotely, an audit trail will be logged in the Event Viewer. In the Event Viewer, choose Security from the Log menu to see the events. For information on trust relationships, pass-through authentication, user permissions, and domain logins, please see your Windows NT Advanced Server "Concepts and Planning" guide or query on the following words in the Microsoft Knowledge Base: authentication and pass-through Additional query words: wfw wfwg prodnt ====================================================================== Keywords : kbnetwork Technology : kbWinNTsearch kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTAdvSerSearch kbWinNTAdvServ310 kbWinNTS351search kbWinNTS350search kbWinNT310Search Version : 3.1 3.5 3.51 4.0 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.