Logon Process for Active Directory Domain User Account With a Windows NT 4.0 Computer Account (319494)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
This article was previously published under Q319494

SUMMARY

This article describes how a user who has a Windows 2000 Active Directory domain user account can log on to a Windows 2000 Professional client when the client's computer account is in a Windows NT 4.0 domain.

MORE INFORMATION

This scenario uses both NTLM and Kerberos to authenticate the user account.

Configuration:

  1. Windows 2000 client (named "client" or "the client" in the example).
  2. Windows NT 4.0 resource domain controller (named "R_DC" in the example).
  3. Windows 2000 accounts domain controller (named "A_DC" in the example)
The log on occurs in two phases. In one phase, the client authenticates its computer account. In the second phase, the user account logs on to the client.

Computer Account Authentication

  1. The client uses NetBIOS name resolution (WINS, broadcast, lmhosts, etc) to locate a domain controller.
  2. R_DC responds to client, and the computer account is authenticated (this is the process of setting a secure channel).

User Logs On to Workstation

Part 1: First Kerberos Authentication

  1. User logs on by typing the user's credentials on the client.
  2. The client uses DNS to locate a Key Distribution Center (KDC) which is the A_DC.
  3. The client requests a ticket for the workstation from the KDC. The KDC responds that no such account exists, so the client reverts to NTLM authentication.

Part 2: NTLM Authentication

  1. The client passes the user's log on credentials across a secure channel to the R_DC.
  2. The R_DC does not have this account in its database, but knows of a trust to the accounts domain on the A_DC. A secure channel from the R_DC to the A_DC is used.
  3. The R_DC passes the user's credentials to the A_DC. The A_DC authenticates the user account.
  4. The R_DC returns the successful authentication to the client.
  5. The R_DC passes the name of the A_DC to the client (this is the Logon_Server value).

Part 3: Final Kerberos Authentication

  1. The client must now connect to the Logon_Server (which is the A_DC) to look for policies, login scripts, and the like.
  2. The client uses Kerberos to obtain a ticket for the A_DC.
  3. The KDC grants the tickets, and then the client uses Kerberos for authentication to the A_DC.
  4. The client processes policies, scripts, and the like as the client receives them.

REFERENCES

For additional information about NTLM and Kerberos authentication protocols, click the following article numbers to view the articles in the Microsoft Knowledge Base:

147706 How to Disable LM Authentication on Windows NT

217098 Basic Overview of Kerberos User Authentication Protocol in Windows 2000

Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbinfo KB319494
©2003 Microsoft Corporation. All rights reserved.