Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
EAN: N/A
Year: 2005
Pages: 338
Pages: 338
Typically, a computer and its stored information must be protected from unauthorized access. Windows XP Professional secures the computer by using account authentication, which can prevent a user from accessing a computer or domain. Account authentication is the process of confirming the identity of a user by verifying a user s login name and password or smartcard information against data stored in an account database either locally or on a domain server. After authentication identifies the user, the user is granted access to a specific set of network resources based on permissions. Authorization takes place by means of the mechanism of access control, using access control lists (ACLs), which define permissions on file systems, network file and print shares, and entries in the account database. For more information about account authentication, see Logon and Authentication in this book.
Account authentication is performed by one of the following two methods:
Authentication by the local account database for computers in workgroups and stand-alone computers.
Authentication by a domain account database located on a domain controller for computers in a domain.
Windows XP Professional uses the Kerberos V5 authentication protocol as the default authentication method for domain access and NTLM for local access.
When you log on to a Windows domain, Windows XP Professional attempts to use Kerberos V5 security procedures as the primary source of user authentication, searching for the Kerberos Key Distribution Center (KDC) service on the domain controller. KDC is the account authentication service that runs on all Windows 2000 based and Windows Server 2003 based domain controllers.
In a Windows NT 4.0 environment, Windows 2000 and Windows XP Professional use NTLM to authenticate to the domain s Windows NT Security Accounts Manager (SAM) database on a Windows NT based domain controller.
When users log on locally to a workstation or to a stand-alone or member server, authentication to the local database occurs by way of NTLM rather than by way of the Kerberos V5 protocol. The local accounts database on Windows XP Professional based and Windows 2000 based computers is a SAM database, similar to the database used in Windows NT 4.0 and earlier.
A user must have a unique logon name to access a domain and its resources. In a domain environment, a user is a type of security principal. Every account, domain or local, has a user name, which is also called the SAM account name.
The logon name for a user on the local computer is the same as the user name for the account stored on the local computer.
The logon name for a user in the domain can be one of two types (every Windows 2000 or Windows Server 2003 domain user has both by default), both of which contain the user name of the domain account:
The user principal name consists of the SAM account name, the at sign (@), and a user principal name suffix. The user principal name suffix is the DNS domain name of the forest root domain, but you can change the suffix. For example, the user John Doe, who has a user account in the reskit.com domain, might have the user principal name JDoe@reskit.com. This form of the logon name can be used to log on to Windows 2000 or Windows Server 2003 networks.
The SAM account name is combined with the NetBIOS domain name, separated by a backslash (for example, reskit\JDoe). This form of the logon name is used to log on to Windows NT networks or to log on to a Windows 2000 or Windows Server 2003 network from a client that is running an earlier version of Windows or accessing a server that is running an earlier version of Windows.
The user principal name of the user object is independent of the distinguished name, which is the name that identifies the object and its location within Active Directory. Theoretically two accounts that log on to the same domain can have the same SAM account name. In such a situation, it is the distinguished name that differentiates the object, not the SAM or user principal name. While this sharing of one principal name by two user objects is possible, it is never recommended as it can cause confusion. Also, you can move or rename a user object without affecting the user principal name, and you can have multiple user principal names.