1

As I am looking for more information for my final exam I was wondering how the process of authenticating Windows users works.

In my own imagination it could possibly go like this:

  1. user enters login information on his windows machine
  2. machines passes credentials to PDC
  3. PDC asks the active directory
  4. AD matches entry with it's database
  5. AD tells PDC --> O.K.
  6. PDC tells windows machine --> O.K.
  7. windows machine logs on user

But maybe the windows machine just skips the PDC and passes the request directly to the active directory service (e.g. unix machines passes authentication requests to a LDAP server...)?

Does anybody know exatly how this works?

adaptr
  • 16,576
  • 23
  • 34
Master of Celebration
  • 123
  • 1
  • 1
  • 6
  • 3
    Unless you have an NT4 domain, there are no PDCs any more. There is a PDC emulator FSMO role, but it's entirely different than what a PDC was. – MDMarra Apr 18 '12 at 12:23
  • Not really; in case all goes to hell in your domain, it's the machine with the PDC role that acts as tie-breaker for any and all conflicts. – adaptr Apr 18 '12 at 12:30
  • @adaptr It's the PDC *emulator* role, and it's entirely different than a PDC used to be. What you say is correct, but it's still not a PDC. – MDMarra Apr 18 '12 at 12:56
  • Wait...given the comments to answers and whatnot...are you authenticating Windows users via a Linux system acting as a PDC via SAMBA that in turn is asking an AD controller for credentials? Because if so that's *really* specific and should be spelled out here... – Bart Silverstrim Apr 18 '12 at 13:20
  • @MDMarra yeah... that :) – adaptr Apr 18 '12 at 15:03

2 Answers2

5

I don't know what exam this is going to be, but if you had taken any actual Microsoft AD-related classes you would not spout such nonsense.

  1. user enters credentials on the local machine.
  2. local machine checks if it already has an authentication ticket for these credentials.
  3. if not, it contacts the first ADS server it can find that offers kerberos authentication functions
  4. the ADS machine checks the credentials against the LDAP database.
  5. if they check out, kerberos returns a TGT (ticket-granting-ticket) to the client machine
  6. for a certain duration set in AD (usually 8~10 hours) this TGT will bypass any credential checking in case the local machine user wishes to connect to resources that require permissions not present in his bare user account (i.e. group memberships, additional machine and share access, etc.)

The TGT is what allows SSO behaviour across all members and services of a windows domain.

adaptr
  • 16,576
  • 23
  • 34
0

Here's a nice detailed article on the process that I found by searching for Windows logon process.
http://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx

Good luck

uSlackr
  • 6,412
  • 21
  • 37
  • 8
    It's usually encouraged to put a summary of material in the answer, just because links stagnate or go dead over time so the answer won't be useful to later searchers. The link should be used to support the answer and not be the answer. – Bart Silverstrim Apr 18 '12 at 12:24
  • great work uSlackr, thanks! Cite: "during a domain logon, the LSA on a domain controller validates the user. The LSA evaluates the user's credentials to determine if the logon should be processed as a logon to a local account or a logon to a domain account." – Master of Celebration Apr 18 '12 at 12:26