How Interactive Logon Works_ Logon and Authentication

6/23/2015 HowInteractiveLogonWorks:LogonandAuthentication

https://technet.microsoft.com/enus/library/cc780332(v=ws.10).aspx 1/9

How Interactive Logon Works54 out of 63 rated this helpful

Updated: March 31, 2015

Applies To: Windows 7, Windows 8, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

In this section

Interactive Logon Architecture

Interactive Logon Components

Interactive Logon Protocols

Interactive Logon Processes and Interactions

Network Ports Used by Interactive Logon

Related Information

The interactive logon process is the first step in user authentication and authorization. Interactive logon is mandatory in the Windows Server2003, WindowsXP,Microsoft Windows2000, and WindowsNT 4.0 operating systems. Interactive logon provides a way to identify authorized users and determine whether they areallowed to log on and access the system.

This section describes the interactive logon architecture, the process of an interactive logon, and the way in which the Windows Server2003 interactive logonprocess locks the workstation and helps to keep it secure.

Interactive Logon ArchitectureThe Windows Server2003 interactive logon architecture includes the following components:

Winlogon

Graphical Identification and Authentication GINA dynamiclink library DLL

Local Security Authority LSA

Authentication packages NTLM and Kerberos

For more information about these components, see Interactive Logon Components later in this section.

Windows Server2003 interactive logons begin with the user pressing CTRL+ALT+DEL to initiate the logon process. The CTRL+ALT+DEL keystroke is called a secureattention sequence SAS; Winlogon registers this sequence during the boot process to keep other programs and processes from using it. The GINA DLL generatesthe logon dialog box. The following figure shows the Windows Server2003 logon dialog box.

WindowsServer2003 Logon Dialog Box

A user who logs on to a computer using either a local or domain account must enter a user name and password, which form the user's credentials and are used toverify the user's identity. For smart card logons, a user's credentials are contained on the card's security chip, which is read by an external device, a smart cardreader. During a smart card logon, a user enters a personal identification number PIN instead of a user name, domain, and password.

Local LogonLocal logons give users access to local computer applications and resources but not to domain applications and resources. When users log on locally, their identitiesare validated by authentication packages to local account information stored in the Security Accounts Manager SAM database. The SAM operates in the securitycontext of the LSA; it protects and manages user and group information in the form of security accounts stored in the local computer registry. Because useraccounts are stored on the local computer, network access is not required for local logons. However, if a computer has a network connection and a user logs on to a



local account, there is no interaction with the network.

Local logons can be performed on Windows client operating systems, such as WindowsXP and Windows2000 Professional. Windows server operating systems, suchas WindowsNT Server, Windows2000 Server, and Windows Server2003, also permit local logons.

The following figure shows the local logon architecture.

Interactive Local Logon

A successful local logon begins when a user presses CTRL+ALT+DEL. Winlogon and the GINA DLL collect the user's credentials and then send the credentials to theLSA. The LSA verifies the user's identity and then returns a logon success and the user's access token to Winlogon and the GINA DLL. Winlogon and the GINA DLLthen activate the user's shell by creating a new process, such as Explorer.exe.

Domain LogonDomain logons give users access to resources throughout the domain. Domain user accounts are stored in an Active Directory domain. Active Directory is deployedon each domain controller, and domain user accounts are replicated throughout a domain.

Before a user can log on to a computer by using a domain account, the computer must be joined to a domain. If the computer has access to a network connection,the user can log on to a domain if the user has an account in the domain's Active Directory.

The computer must transparently authenticate to the domain's Active Directory. This form of logon is called a computer logon. Both users and computers areconsidered equal security principals in Active Directory; to be granted access to network resources, both must be able to verify their identities.

Users can use a domain account to log on to Windows client operating systems, such as Windows 8. Windows server operating systems, such as WindowsServer2012 R2, also permit domain logons. Only server operating systems can function as domain controllers and deploy Active Directory.

On a domainjoined computer, Windows is hardcoded to show only the last logged on user or Other user. Additional tiles for other users to log on are availableonly for computers joined to a workgroup.

The following figure shows the domain logon architecture.

Interactive Domain Logon

Unlike a local logon in which the local LSA validates the user, during a domain logon, the LSA on a domain controller validates the user. The LSA evaluates the user'scredentials to determine if the logon should be processed as a logon to a local account or a logon to a domain account. After determining the logon type, either theNTLM or Kerberos authentication package validates the user. If the authenticating domain controller is a computer running Windows2000 or Windows Server2003,the LSA will use Kerberos, the default authentication package for domain and network logons. The LSA uses NTLM to process domain logons in WindowsNT 4.0mixed environments.



Single Sign OnSingle signon SSO uses credentials collected during an interactive domain logon to allow the user to authenticate to a network one time and, thereafter, to haveaccess to all authorized network resources without additional authentication. The network resources can range from hardware devices, such as printers, toapplications, files, and other types of data, all of which may be located throughout an enterprise on servers of various types, possibly in different domains andrunning different operating systems.

Cached CredentialsAfter a successful domain logon, information is cached; this means that later a user can log on to the computer with the domain account even if the domaincontroller that authenticated the user is not available. Because the user has already been authenticated, Windows uses the cached credentials to log the user onlocally. For example, if a mobile user logs on to a portable computer that is a domain member with a domain account and then takes the portable computer to alocation where the domain is unavailable, Windows will attempt to use the cached credentials from the last successful logon with a domain account to locally log onthe user and allocate access to local computer resources.

Interactive Logon ComponentsThe components of the interactive logon process are responsible for helping to establish secure user authentication. This section describes the roles and functions ofthe user logon components.

WinlogonWinlogon %windir%\System32\Winlogon.exe is the executable file responsible for managing secure user interactions. Winlogon initiates the logon process forWindows Server2003, Windows2000, WindowsXP, and WindowsNT4.0.

Winlogon is responsible for the following tasks.

Desktop lockdown

Standard SAS recognition

SAS routine dispatching

User profile loading

Screen saver control

Multiple network provider support

Desktop LockdownWinlogon helps prevent unauthorized users from gaining access to system resources by locking the computer desktop. At any time, Winlogon is in one of threepossible states: logged on, logged off, or workstation locked, as shown in the following figure.

Winlogon States

Winlogon switches between three desktopsWinlogon, screen saver, and defaultdepending on its state and user activity. The following table lists and describeseach of these desktops.

Winlogon Desktops

Desktop Description

Winlogon Also called the secure desktop. There are five dialog boxes in the Winlogon desktop, which are described in the following table.

Screensaver

Used when a screen saver is running.

Default Displayed when a user has successfully logged on to Windows Server2003 and the user's shell has been activated. The user's applications run inthis desktop.



The following table lists and describes the five dialog boxes in the Winlogon desktop.

Winlogon Desktop Dialog Boxes

Desktop Description

Welcome to Windows Displayed when a computer has initially booted and no user has entered a SAS or when a user has logged off.

Log On to Windows Displayed after a user presses CTRL+ALT+DEL when no user is currently logged on.

Windows Security and ChangePassword

Displayed when:

A loggedon user presses CTRL+ALT+DEL when the workstation is not locked.

OR

When the workstation is not locked, after a user presses CTRL+ALT+DEL and clicks Change Password.

Computer Locked Displayed when the workstation is locked either explicitly by the user or when a screen saver is set as secure and isdismissed.

Unlock Computer Displayed when a user presses CTRL+ALT+DEL when the workstation is locked.

By switching between the desktops for different logon tasks, Winlogon ensures that its processes will be invisible to applications not involved in the logon process,preventing logon data from being compromised.

Standard SAS RecognitionWinlogon registers the default SAS during the boot process, which ensures that no other program can access the same key sequence and compromise the logonprocess by impersonating Winlogon and its logon dialog boxes.

SAS Routine DispatchingWhen Winlogon recognizes a SAS event or the GINA delivers a SAS, Winlogon calls one of the SAS processing functions of the GINA.

User Profile LoadingAfter a successful logon, Winlogon loads user profiles into the HKEY_CURRENT_USER registry key.

Screen Saver ControlWinlogon monitors keyboard and mouse activity to determine when to activate screen savers. When a screen saver that is set as secure is dismissed, Winlogontreats the workstation as locked and the GINA displays the Computer Locked dialog box. When a screen saver not set as secure is dismissed, the user is able toaccess the application desktop without being prompted to reenter credentials.

Multiple Network Provider SupportIf there are multiple network providers installed on a Windowsbased system, they can be included in the authentication process and in passwordupdatingoperations. This inclusion lets additional network providers gather identification and authentication information during a logon, using the secure desktop.

GINAThe GINA is a DLL module that operates in the security context of Winlogon. Winlogon loads the GINA early in the boot process. The GINA is responsible forprocessing SAS events and activating the user's shell. The GINA can generate SAS events in some instances.

In Windows Server2003, WindowsXP, and Windows2000, Msgina.dll %windir%\System32\Msgina.dll is the default GINA; it can be replaced to support specificand unique authentication methods. GINA customization is enabled to accommodate the use of authentication hardware tokens, such as retinal scanners andproprietary smart card solutions.

LSAThe LSA %windir%\System32\lsass.exe is a protected security subsystem that helps create secure user interactions in Windows Server2003. Winlogon and theGINA call the LSA to process logon credentials.

The following components involved in user logon run in the security context of the LSA:

Authentication packages

SAM

Active Directory

LSA Responsibilities



Role Description

Application programming interfacesAPIs

The LSA provides APIs for:

Packages to create a user's logon token after authentication.

Applications to call directly for user logon.

Microsoft Security Support Provider Interface SSPI requests and the routing of requests to the appropriateauthentication package.

Applications to enumerate available authentication packages and query package capabilities.

Applications to resolve Security IdentifiertoName and NametoSecurity Identifier.

Applications to store secret information in the system.

Logon session state Manages the state of the logon session for any user authenticated by the authentication packages.

Notification to installed authenticationpackages

Notifies installed authentication packages of user logon, logoff, and credential updates.

Authentication packages Loads and unloads authentication packages.

Encryption assistance Includes subcomponents that provide encryption services to users of the local computer.

The following figure shows the LSA architecture. Winlogon, which runs as a separate process from lsass.exe, is shown here to illustrate the way in which the logonprocess interacts with the LSA.

LSA Architecture

Note

Some components shown in this figure run only on domain controllers or nondomain controllers. The SAM runs only on nondomain controllers and WindowsNT computers; Directory Services runs only on domain controllers.

As the figure shows, all calls from Winlogon are sent by using the Secur32.dll LsaLogonUser call. LsaLogonUser returns the call through local procedure call LPC tothe LSA Server service. The LSA Server service then determines which authentication package to use to process the logon.

You can set user rights for local computers by using the Local Security Policy snapin of the Microsoft Management Console MMC. On Windows Server2003 nondomain controllers, the Group Policy User Rights Assignment contains information about which users are authorized to perform different tasks, including logging onto the system locally. Domain controllers use the Domain Security Policy snapin of the MMC to set user rights for domain computers. The User Rights Assignmenton domain controllers contains information that applies to the entire domain.

Authentication PackagesAuthentication packages on the user's local computer communicate with server authentication packages to authenticate users. Windows Server2003 applies defaultauthentication packages for user authentication and also supports custom authentication packages.



The following table lists the Windows Server2003 authentication packages used for interactive logons.

Interactive Logon Authentication Packages

Name Associated Protocol Environment

Kerberos version 5 V5 Kerberos.dll Windows2000, WindowsXP, and Windows Server2003

NTLM MSV1_0.dll WindowsNT4.0 and mixed environments

SAMThe SAM stores information about local user accounts in the Windows registry. Passwords are encrypted by the NTLM authentication package. The outcome of theencryption is a hashed password transformed into ciphertext, a string of numbers and letters that appears meaningless. The hashing process occurs by means of ahashing algorithm. NTLM uses the same algorithm to encrypt and decrypt a user's password.

Active DirectoryDomain account information is stored in Active Directory on the domain controllers. Within a particular domain, each domain controller has an identical copy of thedomain's Active Directory. Users can therefore authenticate to any domain controller and their logon information will be recognized throughout the domain.

Interactive Logon ProtocolsIn network environments, authentication protocols are used to authenticate users, computers, and groups. For local logons, Windows Server2003 supports theNTLM authentication protocol. For domain logons, Windows Server2003 supports the Kerberos V5 and NTLM authentication protocols. Windows Server2003 alsosupports custom authentication packages.

Logon Protocols

Component Description

Kerberos.dllKerberos V5 authentication package authentication protocol.

Standard Internet protocol and default network authentication protocol in Windows Server2003.

Performs authentication of users and computers in Windows2000, WindowsXP, and Windows Server2003.

MSV1_0.dllNTLM authentication package authentication protocol.

Default network authentication protocol in WindowsNT4.0.

Performs authentication of users and computers in WindowsNT4.0 mixed environments.

Included in Windows Server2003 for compatibility with WindowsNT4.0 mixed environments.

For more information about how the Kerberos V5 protocol implements user authentication, see Kerberos Authentication Technical Reference.

Interactive Logon Processes and InteractionsThis section describes the events that occur during an interactive logon.

Local LogonThe following figure shows the local logon process.

Local Logon Process



The GINA specifies the Negotiate authentication package when it calls into the LSA. Negotiate must then choose an authentication package to process the logon.Negotiate sends the credentials to Kerberos, the default authentication package beginning with Windows Server2003. However, the Kerberos authenticationpackage cannot process local logons, so it returns an error to Negotiate. Negotiate then calls NTLM to authenticate the user by comparing the received credentialswith those hashed in the SAM.

If the credentials are valid, the LSA generates an access token for the user based upon user rights assigned to the user's account and LsaLogonUser returns thelogon success and the user's access token to Winlogon and the GINA. The GINA then activates the user's shell and Winlogon switches to the default desktop. If thecredentials are invalid, the LSA returns a logon failure, the GINA displays an error message and prompts the user to present valid credentials, and Winlogon remainsin the Winlogon desktop.

Domain LogonDomain logons can only be performed from computers that are joined to a domain. Domain credentials consist of a user's domain account user name, password,and the name of the domain. The local computer's LSA chooses the appropriate authentication package to use based on the domain's environment.

The following figure shows the process that occurs when the local computer can reach a domain controller to authenticate the user. If a domain controller is notavailable, a cached logon occurs.

Domain Logon Process

As with the local logon process, the Negotiate authentication package routes the authentication request to the default authentication package, Kerberos.



Community Additions

The domain client chooses Kerberos, and Kerberos validates the user's credentials by contacting the domain controller. The LSA on the domain controller returns thelogon success or failure to the local computer's LSA. If the domain logon succeeds, the local LSA generates an access token for the user based upon user rightsassigned to the user's account, and LsaLogonUser returns the logon success and the user's access token to Winlogon and the GINA. The GINA then activates theuser's shell, and Winlogon switches to the default desktop. If the credentials are invalid, the LSA returns a logon failure, the GINA displays an error message andprompts the user to present valid credentials, and Winlogon remains in the Winlogon desktop.

Note

In WindowsNT4.0 mixed environments, the NTLM authentication package validates the user's credentials by contacting the domain controller. WindowsNT4.0stores user accounts in the SAM.

Smart Card LogonsWindows Server2003 can be configured to support smart card logons. All smart card logons are processed by the Kerberos authentication package. During a smartcard logon, the local computer checks to ensure the user's PIN is valid. The domain controller then authenticates the user based on the user's credentials in thesmart card.

Cached LogonsWindows Server2003 supports cached logons. The cached credentials of the last 10 users who have successfully logged on to a domain account can be used to loga user on locally if the authenticating domain controller becomes unavailable.

Network Ports Used by Interactive LogonBecause the logon process can be deployed across various network boundaries, it can span one or more firewalls. The following table lists the three mainconfigurable ports used by interactive logon.

Port Assignments for Interactive Logon

Service Name UDP TCP

LSA RPC port Dynamic RPC Dynamic RPC

Kerberos V5 port 88 88

NTLM port Dynamic Dynamic

You can use the Registry Editor to modify the registry to apply fixed ports for NTLM and the LSA.

Related InformationThe following resources contain additional information that is relevant to this section.

Kerberos Authentication Technical Reference

Authorization and Access Control Technologies

"User must Change Password on Next Logon" checkboxhow is the workflow changed when the "User must Change password on next logon" checkbox is marked? because validation does happen but at the same time it does notbecause gina does not activate the shell...

[tfl 07 10 09] Hi and thanks for your post.You should postquestions like this to the Technet Forums athttp://forums.microsoft.com/technet or the MS Newsgroups athttp://www.microsoft.com/communities/newsgroups/enus/. You are muchmore likely get a quick response using the forums than through theCommunity Content. For specific help about:Exchange : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.exchange%2C&SQL Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&Windows : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&Windows Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows.server%2C&Virtual Server : http://groups.google.com/group/microsoft.public.virtualserver/topics?lnkFull Public : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&



Thomas Lee

2/7/2010

2015 Microsoft

Documents

How Interactive Logon Works_ Logon and Authentication