5

Imagine a Windows workgroup network where two computers each have a local account with the same username/password combination. If I log on to one computer, and try to connect to a non-public shared resource on the other, I'm not prompted for credentials — the fact that the remote computer has a local account with the same credentials as the local account on the computer I'm using means I'm authenticated "silently".

  1. I've understood this correctly, right?
  2. If so, why can I not find it documented anywhere? I have done extensive Googling. Does the feature have a name? Can anyone point me to some official documentation?

Thanks in advance.

Martin
  • 65
  • 1
  • 4

1 Answers1

3

It's called pass-through NTLM authentication and is documented in the NTLM TechNet article. See the section titled Pass-through authentication toward the bottom.

The NetLogon service implements pass-through authentication. It performs the following functions:

  • Selects the domain to pass the authentication request to.

  • Selects the server within the domain.

  • Passes the authentication request through to the selected server.

Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. The domain name is processed as follows:

  • If the domain name matches the name of the SAM database, the authentication is processed on that computer. On a Windows workstation that is a member of a domain, the name of the SAM database is considered to be the name of the computer. On an Active Directory domain controller, the name of the account database is the name of the domain. On a computer that is not a member of a domain, all logons process requests locally.

  • If the specified domain name is trusted by this domain, the authentication request is passed through to the trusted domain. On Active Directory domain controllers, the list of trusted domains is easily available. On a member of a Windows domain, the request is always passed through to the primary domain of the workstation, letting the primary domain determine whether the specified domain is trusted.

  • If the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Thanks — pass-through authentication sounds right, even though that article doesn't really say what it is, nor seem to relate to the simple scenario I'm talking about. I'm still hoping to find an article that actually says something like "Windows first attempts to pass your local logon credentials to authenticate with a remote machine..." and explains it better. With no talk of domains. Or maybe I'm just confused by the use of the word "domain" everywhere... cause I'm not using one! – Martin Dec 03 '12 at 13:02
  • The process described using NTLM is what's used when a machine isn't a member of an AD domain. If it were a member of an AD domain, it would gain access to the share using a Kerberos ticket and authentication tokens. There are certain times when NTLM is used on an AD domain instead of Kerberos, but those are rare in modern times. If you want to look for additional documentation, you should be looking at NTLMv2 docs. – MDMarra Dec 03 '12 at 13:05
  • Thank you for your help; I do appreciate it. However, the paragraphs you've quoted quite clearly do refer to a domain. Perhaps the feature is so rarely used (because larger organisations would be using AD) that Microsoft has simply failed to document it (or failed to document it in language that I can understand). – Martin Dec 03 '12 at 13:27