Article ID: 319494 - Last Review: February 21, 2007 - Revision: 3.2

Logon Process for Active Directory Domain User Account With a Windows NT 4.0 Computer Account

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q319494

On This Page

Expand all | Collapse all

SUMMARY

This article describes how a user who has a Windows 2000 Active Directory domain user account can log on to a Windows 2000 Professional client when the client's computer account is in a Windows NT 4.0 domain.
Back to the top

MORE INFORMATION

This scenario uses both NTLM and Kerberos to authenticate the user account.
Back to the top

Configuration:

  1. Windows 2000 client (named "client" or "the client" in the example).
  2. Windows NT 4.0 resource domain controller (named "R_DC" in the example).
  3. Windows 2000 accounts domain controller (named "A_DC" in the example)
The log on occurs in two phases. In one phase, the client authenticates its computer account. In the second phase, the user account logs on to the client.
Back to the top

Computer Account Authentication

  1. The client uses NetBIOS name resolution (WINS, broadcast, lmhosts, etc) to locate a domain controller.
  2. R_DC responds to client, and the computer account is authenticated (this is the process of setting a secure channel).
Back to the top

User Logs On to Workstation

Part 1: First Kerberos Authentication

  1. User logs on by typing the user's credentials on the client.
  2. The client uses DNS to locate a Key Distribution Center (KDC) which is the A_DC.
  3. The client requests a ticket for the workstation from the KDC. The KDC responds that no such account exists, so the client reverts to NTLM authentication.

Part 2: NTLM Authentication

  1. The client passes the user's log on credentials across a secure channel to the R_DC.
  2. The R_DC does not have this account in its database, but knows of a trust to the accounts domain on the A_DC. A secure channel from the R_DC to the A_DC is used.
  3. The R_DC passes the user's credentials to the A_DC. The A_DC authenticates the user account.
  4. The R_DC returns the successful authentication to the client.
  5. The R_DC passes the name of the A_DC to the client (this is the Logon_Server value).

Part 3: Final Kerberos Authentication

  1. The client must now connect to the Logon_Server (which is the A_DC) to look for policies, login scripts, and the like.
  2. The client uses Kerberos to obtain a ticket for the A_DC.
  3. The KDC grants the tickets, and then the client uses Kerberos for authentication to the A_DC.
  4. The client processes policies, scripts, and the like as the client receives them.
Back to the top

REFERENCES

For additional information about NTLM and Kerberos authentication protocols, click the following article numbers to view the articles in the Microsoft Knowledge Base:
147706  (http://support.microsoft.com/kb/147706/EN-US/ ) How to Disable LM Authentication on Windows NT
217098  (http://support.microsoft.com/kb/217098/EN-US/ ) Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
Back to the top
Keywords: 
kbinfo KB319494
Back to the top