Authentication |
When a user with an account in a Windows 2000 domain logs on at the keyboard of a computer that is running Windows 2000, the user's logon request is processed in three stages:
This is accomplished through an AS Exchange between the Kerberos SSP on the computer and the KDC in the user's account domain. The result is a TGT that the user can present in future transactions with this KDC.
This is accomplished through a TGS Exchange between the Kerberos SSP on the computer and the KDC for the computer's account domain. The result is a session ticket that the user can present when he or she requests access to system services on the computer.
This is accomplished when the Kerberos SSP on the computer presents a session ticket to the LSA on the computer.
If the computer's account domain is different from the user's account domain, an extra step is involved. Before the Kerberos SSP can request a session ticket for the computer, it must ask the KDC in the user's domain for a TGT that is good for admission to the KDC in the computer's domain. The SSP can then present the TGT to the KDC in the computer's domain and get a session ticket for the computer.
Exactly how the logon process works depends on how you configure the computer. With standard configurations of Windows 2000, interactive users log on with a password. In another optional configuration of Windows 2000, users log on with a smart card. Although the basic process is the same for both configurations, there are some differences.