Logon and Authentication Processes

Before doing anything on a Windows NT system, a user must log on to the system by supplying a username and password. Windows NT uses the username for identification and password for validation. Different processes at several levels protect resources, but logon security protects overall access to a domain or computer. The logon process requires users to identify themselves to the domain or the computer. The user name and password that the user types in the Logon Information dialog box are checked against either the computer directory database (if the user is logging on to a user account defined on the computer) or the domain directory database (if the user is logging on to a domain user account).

Once authenticated, an account is available for use with all Windows NT Server network services and compatible server applications, such as the Microsoft BackOffice™ suite of server products. Through directory services, authentication enables a user logging on to a single Windows NT Server domain to use other applications, such as Microsoft SQL Server and Microsoft Exchange Server, and network services, such as Services for Macintosh.

The initial logon process for Windows NT is interactive, meaning that the user must type information at the keyboard in response to a dialog box that appears on the screen. Windows NT grants or denies access based upon the information the user provides.

The steps included in the interactive logon and validation process are:

1. The user presses Ctrl+Alt+Del.

2. When the user provides a username and a password, the logon process calls the LSA.

3. The LSA runs the appropriate authentication package.

4. The authentication package checks the user-accounts database to see if the account is local. If it is, the username and password are verified against those held in the user accounts database. If not, the requested logon is forwarded to an alternate authentication package.

5. When the account is validated, SAM (which owns the user-accounts database) returns the user's security ID and the security IDs of any global groups to which the user belongs.

6. The authentication package creates a logon session and then passes the logon session and the security IDs associated with the user to LSA.

7. If the logon is rejected, the logon session is deleted, and an error is returned to the logon process.

If the logon is not rejected, an access token, containing the user's security ID and the security IDs of Everyone and other groups, is created. It also contains the user rights (described in the next section) assigned to the collected security IDs. This access token is returned to the logon process with a Success status.

8. The logon session calls the Win32 subsystem to create a process and attach the access token to the process, thus creating a subject for the user account. (Subjects are described in the section called "Subjects and Impersonation," earlier in this chapter.)

9. For an interactive Windows NT session, the Win32 subsystem starts the desktop for the user.

After the validation process, a user's shell process (that is, the process in which the desktop is started for the user) is given an access token. The information in this access token is reflected by anything the user does or any process that runs on the user's behalf.

Note

Windows NT has the ability to support multiple authentication packages that are implemented as DLLs. This flexibility allows third-party software vendors the opportunity to integrate custom authentication packages with Windows NT. For example, a network vendor might augment the standard Windows NT authentication package by adding one that allows users to log on simultaneously to Windows NT and to the vendor's network.