Microsoft KB Archive/319494

= Logon Process for Active Directory Domain User Account With a Windows NT 4.0 Computer Account =

Article ID: 319494

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server

-



This article was previously published under Q319494



SUMMARY
This article describes how a user who has a Windows 2000 Active Directory domain user account can log on to a Windows 2000 Professional client when the client's computer account is in a Windows NT 4.0 domain.



MORE INFORMATION
This scenario uses both NTLM and Kerberos to authenticate the user account.

Configuration:

 * 1) Windows 2000 client (named &quot;client&quot; or &quot;the client&quot; in the example).
 * 2) Windows NT 4.0 resource domain controller (named &quot;R_DC&quot; in the example).
 * 3) Windows 2000 accounts domain controller (named &quot;A_DC&quot; in the example)

The log on occurs in two phases. In one phase, the client authenticates its computer account. In the second phase, the user account logs on to the client.

Computer Account Authentication

 * 1) The client uses NetBIOS name resolution (WINS, broadcast, lmhosts, etc) to locate a domain controller.
 * 2) R_DC responds to client, and the computer account is authenticated (this is the process of setting a secure channel).

Part 1: First Kerberos Authentication

 * 1) User logs on by typing the user's credentials on the client.
 * 2) The client uses DNS to locate a Key Distribution Center (KDC) which is the A_DC.
 * 3) The client requests a ticket for the workstation from the KDC. The KDC responds that no such account exists, so the client reverts to NTLM authentication.

Part 2: NTLM Authentication

 * 1) The client passes the user's log on credentials across a secure channel to the R_DC.
 * 2) The R_DC does not have this account in its database, but knows of a trust to the accounts domain on the A_DC. A secure channel from the R_DC to the A_DC is used.
 * 3) The R_DC passes the user's credentials to the A_DC. The A_DC authenticates the user account.
 * 4) The R_DC returns the successful authentication to the client.
 * 5) The R_DC passes the name of the A_DC to the client (this is the   value).

Part 3: Final Kerberos Authentication

 * 1) The client must now connect to the   (which is the A_DC) to look for policies, login scripts, and the like.
 * 2) The client uses Kerberos to obtain a ticket for the A_DC.
 * 3) The KDC grants the tickets, and then the client uses Kerberos for authentication to the A_DC.
 * 4) The client processes policies, scripts, and the like as the client receives them.

