This article describes how a user who has a Windows 2000
Active Directory domain user account can log on to a Windows 2000 Professional
client when the client's computer account is in a Windows NT 4.0
This scenario uses both NTLM and Kerberos to authenticate
the user account.
- Windows 2000 client (named "client" or "the client" in the
- Windows NT 4.0 resource domain controller (named "R_DC" in
- Windows 2000 accounts domain controller (named "A_DC" in
The log on occurs in two phases. In one phase, the client
authenticates its computer account. In the second phase, the user account logs
on to the client.
Computer Account Authentication
- The client uses NetBIOS name resolution (WINS, broadcast,
lmhosts, etc) to locate a domain controller.
- R_DC responds to client, and the computer account is
authenticated (this is the process of setting a secure channel).
User Logs On to Workstation
Part 1: First Kerberos Authentication
- User logs on by typing the user's credentials on the
- The client uses DNS to locate a Key Distribution Center
(KDC) which is the A_DC.
- The client requests a ticket for the workstation from the
KDC. The KDC responds that no such account exists, so the client reverts to
Part 2: NTLM Authentication
- The client passes the user's log on credentials across a
secure channel to the R_DC.
- The R_DC does not have this account in its database, but
knows of a trust to the accounts domain on the A_DC. A secure channel from the
R_DC to the A_DC is used.
- The R_DC passes the user's credentials to the A_DC. The
A_DC authenticates the user account.
- The R_DC returns the successful authentication to the
- The R_DC passes the name of the A_DC to the client (this is
the Logon_Server value).
Part 3: Final Kerberos Authentication
- The client must now connect to the
Logon_Server (which is the A_DC) to look for
policies, login scripts, and the like.
- The client uses Kerberos to obtain a ticket for the
- The KDC grants the tickets, and then the client uses
Kerberos for authentication to the A_DC.
- The client processes policies, scripts, and the like as the
client receives them.
For additional information about NTLM and Kerberos
authentication protocols, click the following article numbers to view the
articles in the Microsoft Knowledge Base:
How to Disable LM Authentication on Windows NT
Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Article ID: 319494 - Last Review: February 21, 2007 - Revision: 3.2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Server