This article was previously published under Q319494
This article describes how a user who has a Windows 2000 Active Directory domain user account can log on to a Windows 2000 Professional client when the client's computer account is in a Windows NT 4.0 domain.
This scenario uses both NTLM and Kerberos to authenticate the user account.
Windows 2000 client (named "client" or "the client" in the example).
Windows NT 4.0 resource domain controller (named "R_DC" in the example).
Windows 2000 accounts domain controller (named "A_DC" in the example)
The log on occurs in two phases. In one phase, the client authenticates its computer account. In the second phase, the user account logs on to the client.
Computer Account Authentication
The client uses NetBIOS name resolution (WINS, broadcast, lmhosts, etc) to locate a domain controller.
R_DC responds to client, and the computer account is authenticated (this is the process of setting a secure channel).
User Logs On to Workstation
Part 1: First Kerberos Authentication
User logs on by typing the user's credentials on the client.
The client uses DNS to locate a Key Distribution Center (KDC) which is the A_DC.
The client requests a ticket for the workstation from the KDC. The KDC responds that no such account exists, so the client reverts to NTLM authentication.
Part 2: NTLM Authentication
The client passes the user's log on credentials across a secure channel to the R_DC.
The R_DC does not have this account in its database, but knows of a trust to the accounts domain on the A_DC. A secure channel from the R_DC to the A_DC is used.
The R_DC passes the user's credentials to the A_DC. The A_DC authenticates the user account.
The R_DC returns the successful authentication to the client.
The R_DC passes the name of the A_DC to the client (this is the Logon_Server value).
Part 3: Final Kerberos Authentication
The client must now connect to the Logon_Server (which is the A_DC) to look for policies, login scripts, and the like.
The client uses Kerberos to obtain a ticket for the A_DC.
The KDC grants the tickets, and then the client uses Kerberos for authentication to the A_DC.
The client processes policies, scripts, and the like as the client receives them.
For additional information about NTLM and Kerberos authentication protocols, click the following article numbers to view the articles in the Microsoft Knowledge Base:
147706 How to Disable LM Authentication on Windows NT
217098 Basic Overview of Kerberos User Authentication Protocol in Windows 2000