This article describes how Windows 2000 authenticates users on your local computer.
When you log on to a computer running Windows 2000 Professional or Server, Windows 2000 uses two authentication procedures to log you on locally. Windows attempts to use Kerberos as the primary source of user authentication. If the Key Distribution Center (KDC) service is not found for Kerberos authentication, then Windows uses Windows NT LanManager(NTLM) security to authenticate users in the local Security Accounts Manager (SAM) database.
KDC is a service that runs on all domain controllers and works with Active Directory and Kerberos security authentication services. If the KDC service is not available when you log on to your computer, Kerberos cannot authenticate the user. Windows 2000 uses the NTLM security system for compatibility with earlier versions of Windows NT.
Local logon authentication uses the following steps:
- You type your user name and password. The Graphical Identification and Authentication (GINA) component collects your user name and password.
- GINA passes the secure information to the Local Security Authority (LSA) for authentication.
- The LSA passes the information to the Security Support Provider Interface (SSPI). SSPI is an interface that communicates to both Kerberos and NTLM services and allows developers to write security aware applications without knowing Kerberos or NTLM specifics.
- SSPI passes the user name and password to Kerberos SSP. Kerberos SSP checks to see if the target computer name is the local computer or the domain name. Kerberos passes an error message to SSPI if it is the local computer name. The computer generates an internal error not visible to the user. The following error message is passed back if the network was checked and no KDC could be found:
No logon server available.
- The internal error message triggers SSPI to start the process over again with GINA. GINA passes the information to LSA again, and then LSA passes the information to SSPI again.
- This time, SSPI passes the user name and password to the NTLM driver MSV1-0 SSP. The NTLM driver uses the Netlogon service to validate the user against the local SAM database.
- You receive the following error message only if both Kerberos and NTLM fail to authenticate your user account:
NOTE: This error message is the same whether the password is typed incorrectly or the user name is not in the local SAM database. This is done to increase security.
The system could not log you on. Make sure your User name and domain are correct, then type you password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
Article ID: 231789 - Last Review: February 27, 2007 - Revision: 3.2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Datacenter Server