User Logon Process

  1. When a user attempts to log on, the KDC on the DC that authenticate the user‘s logon must provide the SIDs for each domain-based group that the user is a member of. These SIDs and the SIDs for local groups that the user is a member of, are used to authenticate the user and provide access to resources.
  2. The Global catalog contains different information different type of groups, when the domain functional lever is Windows 2000 native or later, members in universal group can be accounts or groups from any domain.
  3. Universal group also provide access to resources in any domain. A global catalog contains the entire group membership list for universal groups. Members in universal group can only be accounts or groups from any domain. However, domain local group can only provide access to resources in the domain in which the group is created. The global catalog does not contain the entire membership list for domain local groups. Because in a universal group, the membership and resources are not necessarily from the user’s logon domain, and the membership stored in the global catalog. The global catalog must be available to ensure that the universal groups that the user is member of are included in the user’s list of SIDs.
  4. When the global catalog is available, the authentication and authorization process proceeds like this,
  5. The user enters the credentials at a workstation to logon. The credentials are encrypted by client and sent to DC for the client’s domain.
  6. The encrypted credentials that the clients send s are matched with the encrypted credentials on the DC. The KDC stores the encrypted user credentials.
  7. If the credentials from the client match the credentials that are stored by the KDC, the process continues.
  8. Then the DC creates a list of the domain-based groups that the user belongs to. The DC then queries the Global catalog to identify the universal groups that the user belongs to.
  9. After this,
  10. The KDC issues the client TGT. The TGT contains the encrypted SIDs for the groups that the user is member of. The user is now authenticated and can request access to resources. The client access to a resource, which resides on the specific server.
  11. The client uses the TGT to access TGS on the DC. The TGS issues a session ticket to the client for the server on which the resource resides. The session ticket contains the SIDs for the user’s group memberships. The client presents the session ticket to the server. The LSA on the server uses the information in the session ticket to create an access token.
  12. The LSA compares the SIDs in the access token with the groups that are assigned permissions in the resources DACL. If they match, the user is granted access to resource.
  13. When a global catalog server is not available, the KDC cannot obtain SIDs of the universal groups of which the user is member. In such cases, the KDC does not issue a TGT for the user, because the unavailable universal groups may be named in an explicit deny permission in a resource’s DACL.
  14. If the KDC issued a TGT that did not include universal group membership for the user, it might compromise security.
  15. The GLOBAL catalog must be available for the user to obtain TGT. TGTs are valid for 8 hours by default. After a session ticket is granted, a user can use it until he logs off or the session ticket expires. This is true even if the global catalog becomes unavailable during that time. When the global catalog is not available, the user’s universal group membership cannot be enumerated and the user cannot login. However if no DCs are available, the user can log on to a workstation if the user’s credentials are cached on that computer. Universal group membership caching is available on DCs running Windows Server 2003. You can configure universal group membership caching for a site, and enable DCs within that site to service logon requests for repeat users that are in the same site.
  16. When a user logs on at a remote site without a global catalog, universal group membership is cached as follows: The first the user logs on to the local site, the DC contacts the global catalog on the WAN.
  17. The global catalog returns the user’s universal group membership, which is cached on the domain controller. During the subsequent logons, the DC resolves the universal group membership at the local site by using cached information, which is refreshed every 8 hours by default. The benefits of enabling universal group membership caching at a remote site without a global catalog server include:
  18. Authentication is not dependent on a WAN link to global catalog, authentication traffic for repeat users does not use a WAN, the local resolution of universal group membership improves logon times, because there is no global catalog at a remote site, the WAN link does not need to replicate the entire global catalog.

About jaihunt
Working as Technical consultant in Windows technologies

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: