Security

  • Article

Interactive logon confirms the users identification to either a domain account or a local computer. This process differs, depending on the type of user account:

  • With a domain account, a user logs on to the network with a password or smart card, using single sign-on credentials stored in Active Directory. By logging on with a domain account, an authorized user can access resources in the domain and any trusting domains. If a password is used to log on to a domain account, Windows 2000 uses Kerberos v5 for authentication. If a smart card is used, Windows 2000 uses Kerberos v5 authentication with certificates, unless the server is not a Windows 2000 server.

  • With a local computer account, a user logs on to a local computer using credentials stored in Security Account Manager (SAM), which is the local security account database. Any workstation or member server can store local user accounts, but those accounts can only be used for access to that local computer.

Windows 2000 uses a user principal name (UPN) to identify users for interactive logon. UPNs serve the same purpose as user names and are formatted as username @ domain .

If Logon domain does not appear in the dialog box provided at logon, and you want to log on to a Windows 2000 domain, you can type your user name and the Windows 2000 domain name in two ways:

  • Your user principal name prefix (your user name) and your user principal name suffix (your Windows 2000 domain name), joined by the at sign (@). For example, user@sales.westcoast.microsoft.com.

  • Your Windows 2000 domain name and your user name, separated by the backslash (\) character. For example, sales\user.

Note that the suffix in the first example is a fully-qualified DNS domain name. Your administrator might have created an alternative suffix to simplify the logon process. For example, creating a user principal name suffix of microsoft allows the same user to log on using the much simpler user@microsoft.com.

Smart Cards

Interactive logon can be configured to require smart card authentication for greater security.

Smart cards are credit card–sized plastic cards that contain integrated circuit chips. Smart cards are used to store users certificates and private keys, enabling easy transport of these credentials. Smart cards can perform sophisticated public key cryptography operations, such as digital signing and key exchange.

You can deploy smart cards and smart card readers to provide stronger user authentication and security for a range of security solutions, including logging on over a network, secure Web communication, and secure e-mail.

Smart cards provide tamper-resistant authentication through onboard private key storage and processing. The private key is used in turn to provide other forms of security related to digital signatures and encryption.

For detailed procedures on implementing smart cards, see Windows 2000 Server Help.