Mission-Critical Active Directory

In this chapter we will look at the most important operating system security service and how it is implemented in Windows 2000: authentication. We will look at the Windows 2000 authentication architecture and at the nuts and bolts of the Kerberos authentication protocol: how it compares to NTLM, how it can be used as a single sign-on solution between different operating systems, and so on.
Before an entity is given access to a resource on a Windows 2000 system, the operating system must validate the entity s identity and check whether it can access that particular resource. The latter process is known as access control; it was discussed in the previous chapter. The first process is known as authentication, and it will be discussed extensively in this chapter. The primary purpose of authentication is to prove and validate an entity s identity. It answers the question of who or what is the system talking to?
In a Windows environment, you bootstrap the authentication process by pressing CTRL+ALT+DEL (known as the Secure Attention Sequence [SAS]) to log on to a machine or a domain (this is called an interactive logon). A valid interactive logon results in a local logon session. If you want to access a resource located on another machine during your logon session, another authentication process will be started (this is called a noninteractive logon). A valid noninteractive logon results in a network logon session.
Every entity that authenticates to a Windows 2000 system is called a principal. A...