Authentication |
Logging on at the keyboard of a computer running Windows 2000 is like crossing an international border. A guard asks for identification; you present credentials issued by a trusted authority. In this case, the guard is Winlogon, a security service running in a process it shares with the Local Security Authority (LSA). Winlogon displays a dialog box that asks you to identify your account and the security authority who issued it. It also requires you to substantiate your claim that you are the account holder, which on standard Windows 2000 systems you do by typing a password. On specially equipped systems, your credentials might be taken from a smart card that you insert into a card reader. Whatever proof of identity you supply, Winlogon collects it, packages it in a data structure, and passes everything to the LSA for verification. If the LSA can verify that your account is valid and that you are the account holder, Winlogon sets up an interactive session on the computer. Otherwise, you are denied access to the computer.
How the LSA verifies your identity depends on where your account was issued. If your account was issued by the LSA itself, the LSA can validate your information by checking its own account database. If you are using an account issued by the security authority for the local domain or by the security authority for a trusted domain, the LSA must contact the issuing authority and ask it to verify that the account is valid and that you are the account holder.