How does Microsoft Active Directory handle user authentication?

active-directory authentication domain-controller

22,580

Solution 1

Here's a nice detailed article on the process that I found by searching for Windows logon process.
http://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx

Good luck

Solution 2

I don't know what exam this is going to be, but if you had taken any actual Microsoft AD-related classes you would not spout such nonsense.

user enters credentials on the local machine.
local machine checks if it already has an authentication ticket for these credentials.
if not, it contacts the first ADS server it can find that offers kerberos authentication functions
the ADS machine checks the credentials against the LDAP database.
if they check out, kerberos returns a TGT (ticket-granting-ticket) to the client machine
for a certain duration set in AD (usually 8~10 hours) this TGT will bypass any credential checking in case the local machine user wishes to connect to resources that require permissions not present in his bare user account (i.e. group memberships, additional machine and share access, etc.)

The TGT is what allows SSO behaviour across all members and services of a windows domain.

22,580

Master of Celebration

Updated on September 18, 2022

Comments

Master of Celebration almost 2 years
As I am looking for more information for my final exam I was wondering how the process of authenticating Windows users works.

In my own imagination it could possibly go like this:
1. user enters login information on his windows machine
2. machines passes credentials to PDC
3. PDC asks the active directory
4. AD matches entry with it's database
5. AD tells PDC --> O.K.
6. PDC tells windows machine --> O.K.
7. windows machine logs on user
But maybe the windows machine just skips the PDC and passes the request directly to the active directory service (e.g. unix machines passes authentication requests to a LDAP server...)?

Does anybody know exatly how this works?
- MDMarra about 12 years
  
  Unless you have an NT4 domain, there are no PDCs any more. There is a PDC emulator FSMO role, but it's entirely different than what a PDC was.
- adaptr about 12 years
  
  Not really; in case all goes to hell in your domain, it's the machine with the PDC role that acts as tie-breaker for any and all conflicts.
- MDMarra about 12 years
  
  @adaptr It's the PDC emulator role, and it's entirely different than a PDC used to be. What you say is correct, but it's still not a PDC.
- user1364702 about 12 years
  
  Wait...given the comments to answers and whatnot...are you authenticating Windows users via a Linux system acting as a PDC via SAMBA that in turn is asking an AD controller for credentials? Because if so that's really specific and should be spelled out here...
- adaptr about 12 years
  
  @MDMarra yeah... that :)
user1364702 about 12 years

It's usually encouraged to put a summary of material in the answer, just because links stagnate or go dead over time so the answer won't be useful to later searchers. The link should be used to support the answer and not be the answer.
Master of Celebration about 12 years

great work uSlackr, thanks! Cite: "during a domain logon, the LSA on a domain controller validates the user. The LSA evaluates the user's credentials to determine if the logon should be processed as a logon to a local account or a logon to a domain account."
Master of Celebration about 12 years

well, the exam is major depending on linux machines :-) thank you anyway.
adaptr about 12 years

...and they would expect you to answer Windows questions because ?
Master of Celebration about 12 years

...they want me to compare some processes with e.g. Microsoft-like strategies, to enhance the difficulty level a bit :-)