| NT Server 4.0 |
Windows 2000
Server Active Directory |
| The computer presents the user
with a dialog box requesting a username, password, and domain to log on
to. |
The computer presents the user
with a dialog box requesting a username and password. The domain is
displayed after a failed logon. |
| Information is passed to the
Local Security Authority (LSA) |
Information is passed to the
Local Security Authority (LSA) |
| LSA checks to see if the log on
is local to the machine or a domain controller. |
LSA checks to see if the log on
is local to the machine or a domain controller. |
| The LSA attempts to locate a
PDC or BDC to send the username and password for authentication. |
The LSA attempts to locate a DC
to send the username and password for authentication. |
| The name and password are
passed to the PDC or BDC. |
A Kerberos Authentication
request is generated containing the username and a random number.
The random number is embedded into the request in both clear text and
encrypted using the users password. The password never goes over the
wire. |
| The PDC or BDC locates the
username in the SAM database and verifies the password |
The DC locates the username in
Active Directory. It then decrypts the random number with the
password found in Active Directory. If the encrypted number matches
the clear text number, the user is authenticated. |
| The PDC or BDC returns the
Security Identifier (SID) that is associated with the user's account. |
The DC returns the Security
Identifier (SID) that is associated with the user's account. |
| The PDC or BDC then returns the
SID for any group that the is associated with the user's account. |
The DC and the Global Catalog
Server then returns the SID for any group that the is associated with the
user's account. |
| Log on Scripts path is
passed to local machine. |
Log on Scripts path is
passed to local machine. |
| User's roaming profile is
passed to the local machine. |
User's roaming profile is
passed to the local machine. |
| The local computer then goes to
the NETLOGON share of the domain controller to look for any security
policies associated with the machine SID, User SID or Group SID associated
with the user account. |
The DC provides the computer
with the user portion of any group policies that are associated with the
user's account. (Computer policies were applied at startup.) |
| Scripts run, profile is
downloaded and policies are applied. |
Policies are applied, profile
is downloaded and scripts run. |
| The user gains access to the
desktop. |
The user gains access to the
desktop. |