Windows NT User Account Database Search OrderLast reviewed: February 4, 1998Article ID: Q163632 |
The information in this article applies to:
SUMMARYWhen a session is established on the Microsoft Windows NT Server Service, the user account database or SAM (security account manager) database that is used to validate the credentials is chosen based on certain rules. The server looks at the domain name field in the server message block (SMB) file and at the print sharing protocol to determine which database will be authoritative.
MORE INFORMATIONWindows NT uses the following rules to determine which user account database to use when validating a user's credentials:
If the domain name provided is a trusted domain, pass-through authentication is used to pass the credentials to the trusted domain for validation. If the user account does not exist in the trusted domain and the guest account is enabled on the local machine, the guest account is used. If the domain name provided is that of the domain controller itself, the domain controller will use its local SAM database. If the server or workstation being accessed is a member of that domain, the request is processed remotely using pass-through authentication through the implicit trust to one of its domain controllers. If the username provided does not exist in this primary domain and the guest account is enabled on the local machine, then the guest account is used. If no domain name is provided, such as when a down-level legacy client is used, the local SAM database is first checked, and then all trusted domains are checked with pass- through authentication. This can produce inconsistent results if the user name exists in multiple trusted domains. The first domain that responds will be used for the validation. If both the local SAM and no trusted domains are able to validate the credentials, and the guest account is enabled on the local computer, the guest account is used. If the domain name provided is not a trusted domain, the Local SAM is used for validation. If the user name does not exist locally, the guest account is used.What follows is some sample output from Network Monitor that shows a session setup and the credentials that are passed to the server. Windows NT uses the domain name to determine which user account database has the authority to validate the user.
SMB: Command = C session setup & X SMB: Word count = 13 SMB: Word parameters SMB: Next offset = 0x00D2 SMB: Max Buffer Size = 4356 (0x1104) SMB: Max MPX requests = 50 SMB: VC number = 0 SMB: Session Key = 0 SMB: Password length = 24 (0x18) SMB: Unicode Password length = 24 (0x18) SMB: Capabilities = 212 (0xD4) SMB: Byte count = 149 SMB: Byte parameters SMB: Account name = acctname SMB: Domain name = DOMAINNAME SMB: Native OS = Windows NT 1381 SMB: Native Lanman = Windows NT 4.0In the response from the server, the domain name indicates which domain the server is a member of, regardless of the SAM that was used to validate the user. What follows is an example of the session response from the SMB server.
SMB: Command = C session setup & X SMB: Word count = 3 SMB: Word parameters SMB: Next offset = 0x0084 SMB: Setup action = 0x0000 SMB: Byte count = 91 SMB: Byte parameters SMB: Native OS = Windows NT 3.51 SMB: Native Lanman = NT LAN Manager 3.51 SMB: Domain name = DOMAINNAME Keywords : ntdomain NTSrvWkst kbnetwork Version : WinNT:3.5,3.51,4.0 Platform : winnt Hardware : x86 Issue type : kbinfo |
================================================================================
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |