Authentication Background Information
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows Server 2003 authentication technology includes a number of features that provide solutions for a wide variety of business needs.
Central administration of accounts
Administrators can create a single account for each user that allows the user to access the appropriate network resources. Users can log on at different desktops, workstations, or notebooks in the domain by using the same user name and a password or smart card.
Single sign-on environment
Users are required to enter a user name and password or smart card only when first logging on to a Windows Server 2003–based computer. The Windows Server 2003 operating system automatically authenticates the user to the local computer, to the Active Directory domain, and to any other application or resource server in the forest that requires authentication prior to access.
When users change passwords, the updates are made to the user accounts in Active Directory. The password changes apply automatically to all resources in the domain or forest.
Computer accounts in Active Directory
Computer accounts in Active Directory for all of the computers within a domain allow many of the Windows Server 2003 security features that are designed for users to be applied to computers as well.
Computer accounts in Active Directory also allow you to add application servers as member servers within your trusted domains and to demand authentication from the users and other services that access these resource servers.
Service accounts in Active Directory
The services running on resource servers are authenticated automatically if the servers are members of a domain that trusts the user’s account domain. In Windows Server 2003, all of the domains in a forest automatically have two-way transitive trust. Windows Server 2003 also supports transitive trust relationships between forests. In this way, when organizations add application servers to their domains, only authenticated users and services can access them.
Smart card support
Windows Server 2003 supports optional smart card authentication. A smart card contains a processor chip that stores the user’s private key and public key certificate. The user inserts the card into a smart card reader attached to the computer. The user then types in a personal identification number (PIN) when requested, to enable access to the keys stored on the smart card. Authentication proceeds when the correct PIN enables access to the private key and the certificate on the card, allowing the Active Directory authentication service to verify the user’s identity. In this way, computers that store highly sensitive data can be secured from attack without the need to store them in locked rooms. At the same time, authorized users can access information stored on high-security computers.
Certification for Microsoft Windows
Windows Server 2003 authentication interoperates with third-party applications designed according to the Application Specification for Windows 2000. The Application Specification defines the technical requirements for applications to earn the Certified for Microsoft Windows logo.
Applications can carry the Certified for Microsoft Windows logo when they have passed compliance testing and have executed a logo license agreement with Microsoft. To pass compliance testing, a server application must operate within the appropriate security context, reducing the risk posed by successful attacks, and perform Kerberos-based mutual authentication for all client requests, ensuring that clients know that the servers with which they are communicating are the intended parties, and not attackers posing as the server.
Windows Server 2003 provides security audit information to track attempts to log on to servers and workstations. This gives organizations the ability to detect unauthorized attempts to access the system.
Kerberos V5 authentication protocol
When a client attempts to connect to a resource server, the Kerberos Key Distribution Center (KDC), running on a domain controller, provides the client with a ticket to verify the user’s identity to the server, and a shared secret key. The ticket allows the server to validate the user immediately and can be used multiple times. The shared secret key is passed to the server in encrypted form, allowing both computers to use the shared secret key to encrypt any network data they exchange.
The Microsoft implementation of the Kerberos authentication protocol is based on industry standard specifications defined by the Internet Engineering Task Force (IETF). The Kerberos V5 authentication protocol provides the following advantages:
Efficient authentication to servers. Because authentication takes place quickly, users do not lose productive work time. Clients can obtain a ticket for a particular server one time and reuse the ticket for multiple network sessions.
Mutual authentication. By means of the shared secret key, parties at both ends of a network connection can verify each other’s identities. This is a change from NTLM, which allows only servers to verify the identities of their clients.
Delegated authentication. A service can impersonate a client when connecting to a network service, such as a database. Delegated authentication is not available in NTLM.
Interoperability. Kerberos authentication in Windows Server 2003 can interoperate with the implementation of Kerberos authentication in other operating systems.