Introduction to authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Introduction to authentication

A key feature of authentication in the Windows Server 2003 family is its support of single sign-on. Single sign-on allows a user to log on to the domain once, using a single password, and authenticate to any computer in the domain.

Single sign-on provides two main security benefits:

  • For a user, the use of a single password or smart card reduces confusion and improves work efficiency.

  • For administrators, the amount of administrative support required for domain users is reduced, because the administrator only needs to manage one account per user.

Authentication, including single sign-on, is implemented as a two-part process: interactive logon and network authentication. Successful user authentication depends on both of these processes.

Interactive logon

Interactive logon confirms the user's identification to either a domain account or a local computer. This process is different, depending on the type of user account:

  • With a domain account, a user logs on to the network with a password or smart card, using single sign-on credentials stored in the Active Directory directory service. By logging in with a domain account, an authorized user can access resources in the domain and any trusting domains. If a password is used to log on to a domain account, Kerberos V5 is used for authentication. If a smart card is used instead, Kerberos V5 authentication is used with certificates.

  • With a local computer account, a user logs on to a local computer, using credentials stored in Security Account Manager (SAM), which is the local security account database. Any workstation or member server can store local user accounts, but those accounts can only be used for access to that local computer.

Network authentication

Network authentication confirms the user's identification to any network service that the user is attempting to access. To provide this type of authentication, the security system supports many different authentication mechanisms, including Kerberos V5, Secure Socket Layer/Transport Layer Security (SSL/TLS), and, for compatibility with Windows NT 4.0, NTLM.

Users who use a domain account do not see network authentication. Users who use a local computer account must provide credentials (such as a user name and password) every time they access a network resource. By using the domain account, the user has credentials that can be used for single sign-on.

For more information about authentication, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web site.