• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 76
  • Last Modified:

When a DC gets a request to authenticate a user account, how does that work?

Hello,

I'm still trying to figure out the authentication process of a DC. So, what is the correct process for authentication?
If a DC gets a request to authenticate X user. it will first check its own domain for this X user and if not found, will would happen? Will the DC check a different domain it has a trust relationship with?

I would appreciate if anyone could explain this process to me. I've seen some articles in internet but still don't quite get the specific and detailed process. If anyone has any article I could read, it would be much appreciated as well.

Thanks,
0
Piedra
Asked:
Piedra
  • 3
  • 2
1 Solution
 
LearnctxEngineerCommented:
Microsoft have documented the authentication process here.
0
 
David Johnson, CD, MVPOwnerCommented:
when you login you supply the domain AND the username i.e.
domain\usernam

It only checks that domain
1
 
PiedraSupport EngineerAuthor Commented:
Thank you for your responses. Now, what happens when an account or machine is not appended to any domain? The kerberos would still be in this authentication process?

Example: a computer that is not in the domain logs in the enterprise network and then logs into any applications or website (lets use sharepoint which is an MS app). The sharepoint will request for a credential and then the user types in a username and password. This case changes the authentication process, doesn't it?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
LearnctxEngineerCommented:
Will the DC check a different domain it has a trust relationship with?

If the credentials provided tell the DC you are from a domain for which it has a trust with, yes it will check the other domain to validate the authentication request.

Now, what happens when an account or machine is not appended to any domain? The kerberos would still be in this authentication process?

It depends on the authentication protocol and what you're logging on to or trying to authenticate to (logon requests are not the same as authentication requests). There are logon types like interactive logons where you are sitting at the Ctrl+Alt+Del screen or network logons like RDP. A simple bind to AD for example I don't think AD cares if you provide a domain or not, it will always check its own database. For protocols like Kerberos, NTLM, etc. you have to provide your domain info in the request. So you're forced to provide the relevant information otherwise you are not authenticating, it is all built into the protocol how the client must behave which is built into Windows.

Example: a computer that is not in the domain logs in the enterprise network and then logs into any applications or website (lets use sharepoint which is an MS app). The sharepoint will request for a credential and then the user types in a username and password. This case changes the authentication process, doesn't it?

If the computer is not on the domain, then it will not log in full stop. Is there a specific problem scenario you are trying to work around or are you just after information? If you are just dead keen to learn about AD/Windows authentication it is way beyond the scope of the EE post. You will need to study the materials from Microsoft.

Windows authentication overview
Windows logon scenarios
Windows logon and authentication technical overview

There is a lot of reading which leads on to more and more reading.
1
 
PiedraSupport EngineerAuthor Commented:
Thank you very much! I appreciate the time you took to reply. To answer your question, yeah i'm learning here and there, trying to read as much as I can. Sorry if the questions I submitted were not within the scope of EE.

Have a great day!
0
 
LearnctxEngineerCommented:
The questions are fine, I just mean the content is so vast depending how deep you want to go you could never cover it here :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now