When a DC gets a request to authenticate a user account, how does that work?

Hello,

I'm still trying to figure out the authentication process of a DC. So, what is the correct process for authentication?
If a DC gets a request to authenticate X user. it will first check its own domain for this X user and if not found, will would happen? Will the DC check a different domain it has a trust relationship with?

I would appreciate if anyone could explain this process to me. I've seen some articles in internet but still don't quite get the specific and detailed process. If anyone has any article I could read, it would be much appreciated as well.

Thanks,
PiedraCellDepot EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
Microsoft have documented the authentication process here.
0
David Johnson, CD, MVPOwnerCommented:
when you login you supply the domain AND the username i.e.
domain\usernam

It only checks that domain
1
PiedraCellDepot EngineerAuthor Commented:
Thank you for your responses. Now, what happens when an account or machine is not appended to any domain? The kerberos would still be in this authentication process?

Example: a computer that is not in the domain logs in the enterprise network and then logs into any applications or website (lets use sharepoint which is an MS app). The sharepoint will request for a credential and then the user types in a username and password. This case changes the authentication process, doesn't it?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LearnctxEngineerCommented:
Will the DC check a different domain it has a trust relationship with?

If the credentials provided tell the DC you are from a domain for which it has a trust with, yes it will check the other domain to validate the authentication request.

Now, what happens when an account or machine is not appended to any domain? The kerberos would still be in this authentication process?

It depends on the authentication protocol and what you're logging on to or trying to authenticate to (logon requests are not the same as authentication requests). There are logon types like interactive logons where you are sitting at the Ctrl+Alt+Del screen or network logons like RDP. A simple bind to AD for example I don't think AD cares if you provide a domain or not, it will always check its own database. For protocols like Kerberos, NTLM, etc. you have to provide your domain info in the request. So you're forced to provide the relevant information otherwise you are not authenticating, it is all built into the protocol how the client must behave which is built into Windows.

Example: a computer that is not in the domain logs in the enterprise network and then logs into any applications or website (lets use sharepoint which is an MS app). The sharepoint will request for a credential and then the user types in a username and password. This case changes the authentication process, doesn't it?

If the computer is not on the domain, then it will not log in full stop. Is there a specific problem scenario you are trying to work around or are you just after information? If you are just dead keen to learn about AD/Windows authentication it is way beyond the scope of the EE post. You will need to study the materials from Microsoft.

Windows authentication overview
Windows logon scenarios
Windows logon and authentication technical overview

There is a lot of reading which leads on to more and more reading.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PiedraCellDepot EngineerAuthor Commented:
Thank you very much! I appreciate the time you took to reply. To answer your question, yeah i'm learning here and there, trying to read as much as I can. Sorry if the questions I submitted were not within the scope of EE.

Have a great day!
0
LearnctxEngineerCommented:
The questions are fine, I just mean the content is so vast depending how deep you want to go you could never cover it here :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.