Authentication process

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authentication process

Authentication in the Windows Server 2003 family consists of two parts: an interactive logon process and a network authentication process. Successful user authentication depends on both of these processes.

Interactive logon process

The interactive logon process confirms the user's identification to either a domain account or a local computer. Depending on the type of user account, the interactive logon process is different:

  • With a domain account, a user logs on to the network with a password or smart card by using single sign-on credentials stored in Active Directory. By logging on with a domain account, an authorized user can access resources in the domain and any trusting domains. Kerberos V5 is used for authentication if a password is used to log on to a domain account. Kerberos V5 authentication with certificates is used if a smart card is used instead.

  • With a local computer account, a user logs on to a local computer by using credentials stored in the Security Accounts Manager (SAM), which is the local security account database. Any workstation or member server can store local user accounts.

Network authentication process

Network authentication confirms the user's identification to any network service that the user is attempting to access. To provide this type of authentication, many mechanisms are supported, including Kerberos V5, Secure Socket Layer/Transport Layer Security (SSL/TLS), and, for compatibility with Windows NT 4.0, LAN Manager.

Users who use a domain account do not see network authentication. Users who use a local computer account must provide credentials (such as a user name and password) every time they access a network resource. By using the domain account, the user has credentials that are automatically used for single sign-on.

For information about authentication methods and protocols used by Network Connections, see Authentication Protocols and Methods.