Microsoft KB Archive/163632

= Windows NT User Account Database Search Order =

Article ID: 163632

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Workstation 3.5
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q163632



SUMMARY
When a session is established on the Microsoft Windows NT Server Service, the user account database or SAM (security account manager) database that is used to validate the credentials is chosen based on certain rules. The server looks at the domain name field in the server message block (SMB) file and at the print sharing protocol to determine which database will be authoritative.



MORE INFORMATION
Windows NT uses the following rules to determine which user account database to use when validating a user's credentials:
 * 1) If the domain name provided is a trusted domain, pass-through authentication is used to pass the credentials to the trusted domain for validation. If the user account does not exist in the trusted domain and the guest account is enabled on the local machine, the guest account is used.
 * 2) If the domain name provided is that of the domain controller itself, the domain controller will use its local SAM database. If the server or workstation being accessed is a member of that domain, the request is processed remotely using pass-through authentication through the implicit trust to one of its domain controllers. If the username provided does not exist in this primary domain and the guest account is enabled on the local machine, then the guest account is used.
 * 3) If no domain name is provided, such as when a down-level legacy client is used, the local SAM database is first checked, and then all trusted domains are checked with pass- through authentication. This can produce inconsistent results if the user name exists in multiple trusted domains. The first domain that responds will be used for the validation. If both the local SAM and no trusted domains are able to validate the credentials, and the guest account is enabled on the local computer, the guest account is used.
 * 4) If the domain name provided is not a trusted domain, the Local SAM is used for validation. If the user name does not exist locally, the guest account is used.

Windows 2000 behavior:

When a logon attempt is made, three things are specified: the user name, the encrypted password, and the domain name. All fields are optional. The following simplified logic is used by the Net Logon service to process these logon credentials:
 * 1) If no domain is specified, or if the domain that is specified is the local domain (a computer or NetBIOS name for a member server), the local SAM database validates the logon. If an account is found, and the credentials match, the logon proceeds. If no account is found, and the domain is specified, the "account not found" message is returned.
 * 2) If no domain is specified, or if the domain specified is not the local domain, the request is sent to the domain controller. If an account is found, and the credentials match, logon proceeds. If no account is found, and the domain is specified, the "account not found" message is returned.
 * 3) If the logon attempt specifies a domain, and the logon was not a pass-through, a guest logon is permitted if there is no account found. An attempt to use the passed-in credentials is also allowed, unless the response from step 1 or step 2 was authoritative, which means that the domain that was specified matched the appropriate authority check. If guest or passed-in credentials are permitted, the Net Logon service tries to log on to the local SAM database. This is the final logon attempt.

What follows is some sample output from Network Monitor that shows a session setup and the credentials that are passed to the server. Windows NT uses the domain name to determine which user account database has the authority to validate the user.

  SMB: Command = C session setup & X   SMB: Word count = 13 SMB: Word parameters SMB: Next offset = 0x00D2 SMB: Max Buffer Size = 4356 (0x1104) SMB: Max MPX requests = 50 SMB: VC number = 0 SMB: Session Key = 0 SMB: Password length = 24 (0x18) SMB: Unicode Password length = 24 (0x18) SMB: Capabilities = 212 (0xD4) SMB: Byte count = 149 SMB: Byte parameters SMB: Account name = acctname SMB: Domain name = DOMAINNAME SMB: Native OS = Windows NT 1381 SMB: Native Lanman = Windows NT 4.0

In the response from the server, the domain name indicates which domain the server is a member of, regardless of the SAM that was used to validate the user. What follows is an example of the session response from the SMB server.

  SMB: Command = C session setup & X   SMB: Word count = 3 SMB: Word parameters SMB: Next offset = 0x0084 SMB: Setup action = 0x0000 SMB: Byte count = 91 SMB: Byte parameters SMB: Native OS = Windows NT 3.51 SMB: Native Lanman = NT LAN Manager 3.51 SMB: Domain name = DOMAINNAME

Keywords: kbinfo kbnetwork KB163632

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.