Windows Authentication Concepts

Updated: April 11, 2013

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This reference overview topic describes the concepts on which Windows authentication is based.

Authentication is a process for verifying the identity of an object or person. When you authenticate an object, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.

In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses either a key only the user knows—as with public key cryptography—or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt.

Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable. Active Directory is the recommended and default technology for storing identity information (including the cryptographic keys that are the user’s credentials). Active Directory is required for default NTLM and Kerberos implementations.

Authentication techniques range from a simple logon, which identifies users based on something that only the user knows—like a password—to more powerful security mechanisms that use something that the user has—like tokens, public key certificates, and biometrics. In a business environment, users might access multiple applications on many types of servers within a single location or across multiple locations. For these reasons, authentication must support environments for other platforms and for other Windows operating systems.

Authentication and authorization: A travel analogy

A travel analogy can help explain how authentication works. For example, when you cross an international border, a border guard asks for credentials and you present a passport. The process is two-fold:

  • The guard authenticates the passport by verifying that it was issued by a security authority that the local government trusts—trusts, at least, to issue passports—and by verifying that the passport has not been modified.

  • The guard authenticates you by verifying that your face matches the face of the person pictured on the passport.

If the passport proves to be valid and you prove to be its owner, you are who you say you are.

Transitive trust between security authorities is the foundation of authentication; the type of authentication that takes place at an international border is based on trust. The local government does not know you, but it trusts that your government does. When your government issued your passport, it did not know you either. It trusted the agency that issued your birth certificate. The agency that issued your birth certificate, in turn, trusted the physician who signed the certificate. The physician witnessed your birth and stamped the certificate with your footprint, direct proof of your identity. Trust that is transferred in this way, through trusted intermediaries, is transitive.

Transitive trust is the foundation for network security in Windows client/server architecture. A trust relationship flows throughout a set of domains, such as a domain tree, and forms a relationship between a domain and all domains that trust that domain. For example, if domain A has a transitive trust with domain B, and if domain B trusts domain C, then domain A trusts domain C.

There is a difference between authentication and authorization. With authentication, the system proves that you are who you say you are; however, with authorization, the system verifies that you have rights to do what you want to do. To take the border analogy to the next step, merely authenticating that you are the proper owner of a valid passport does not necessarily authorize you to enter a country. Residents of a particular country are allowed to enter another country by simply presenting a passport only in situations where the country being entered grants blanket permission for all citizens of that particular country to enter.

Similarly, you can grant all users from a certain domain permissions to access a resource. Any user who belongs to that domain has access to the resource, just as Canada allows U.S. citizens to enter Canada. However, U.S. citizens attempting to enter Brazil or India would find that they cannot enter those countries merely by presenting a passport because both of those countries require visiting U.S. citizens to have a valid visa. Thus, authentication does not guarantee access (or authorization).

Single sign-on

Single sign-on (SSO) makes it possible for users to access resources over the network without having to repeatedly supply their credentials. Forcing users to enter multiple passwords—or to enter a single password multiple times—to access system resources is inefficient and provides an unpleasant user experience.

SSO allows users to authenticate once with the system in order to access all applications and data sources that they are authorized to use without entering another account ID or password. The Microsoft Windows platform capitalizes on the ability to use a single user identity (maintained by Active Directory) across the network by locally caching user credentials in the operating system’s Local Security Authority (LSA). When a user logs on to the domain, Windows authentication packages transparently use the credentials to provide SSO when authenticating to network resources.

In this section

Windows authentication is dependent upon numerous operating system features to operate effectively as listed below:

See Also

Concepts

Windows Logon and Authentication Technical Overview