Authentication Questions and Resources



Jason
07-09-2005, 11:51 PM
Hi.

This is a big mess, and I've tried to orginize it as best as I can, but
please bear with me.

I'm curious about authentication and access control in windows.

Compare the scenarios listed at the bottom of this post.

In the first and second scenarios, the user is not asked for credentials
because he was already authenticated.

In the third and fourth scenarios, the user is asked for credentials, but it
"appears" that the credentials are saved only for the CIFS resource that he
accessed.

In the 5th scenario, the user account exists, but since the domain uses
smart cards, will it prompt the user for his username and password, or will
it deny him outright with no way to get around it without logging into the
domain using a smart card?

In the 7th scenario, the user is denied access. Is there a way to assign
user credentials for SMB sessions for users other than yourself? Like...
If I wanted to force sa@domain.com to remember the connection information
for a remote share outside of the network, even if either of the two servers
were reboot, would there be an option? Because the sa@domain.com user is
never logged in interactively, I cannot assign a login script to do this,
can I?

I suspect that the first, second, and 6th scenarios make their connections
using Kerberos and the third and fourth are made using NTLM, but I'm not
absolutely sure about that, and I don't know of any monitoring tools that
would give me that information. The 5th scenario blows my mind away because
I've never played around with smart cards.

Can anyone point me to a resource that details the process by which windows
2000 chooses which authentication method to use? And also the names of any
tools that would help me monitor which authentication is taking place would
be helpful too. If nobody helps me out with this, I'll have to get a
non-switched network and monitor the traffic using ethereal to get my
answers, and that doesn't sound fun to me.

Thanks in advance,

-- Jason

Scenarios:
1: windows 2000 domain in native mode. An authenticated user connects to a
share on the network using CIFS

2: windows 2000 domain in mixed mode. An authenticated user connects to a
share on the network using CIFS

3: windows 2000 domain in native mode. A user on a machine that is not part
of the domain, but has credentials in that domain in AD tries to connect to
a network share using CIFS. After being prompted for the credentials, that
he types in, he is allowed access. Future accesses to that same resources
are made without him typing in the credentials, but if he tries to connect
to other resources on that domain, he is prompted for the exact same
credentials again.

4: windows 2000 domain in mixed mode. A user on a machine that is not part
of the domain, but has credentials in AD tries to connect to a network share
using CIFS.

5: windows 2000 domain in native mode using smart cards. A user on a
machine that is not part of the network, does not have a smart card, but a
user exists in AD for the user.

6: a service (specifically SQL Server) is running under the security context
of the user sa@domain.com. SQL Server tries to backup to a remote hard
drive on the local domain and is allowed access.

7: a service (specifically SQL Server) is running under the security context
of the user sa@domain.com. SQL Server tries to backup to a remote hard
drive on a domain5.com domain and is denied access because there is no trust
relationship, and they are in seperate forests. Because the applicaiton
(sql server) is not being run by the interactive user, he is not prompted
for credentials, and authentication cannot be established.

Nestor Cabrera
07-09-2005, 11:51 PM
Ok, I'll give this my best shot but I won't make any promises:

For the differences described in scenarios 1,2,3,4,6, & 7, check out these
links:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/3f5fdc52-8623-4336-840d-e90b2399c854.mspx

&

http://www.windowsitlibrary.com/Content/617/06/1.html#2

For scenario 5, it depends on the Domain policy as you can have both the
capability to be able to use smart card or user name and password, however if
you are using Smart Cards your username will be the EID number on the smart
card, not a typical name per say. You can specify a policy to only allow
logon using smart cards. If you're domain policy allows for both types of
logon and you attempt to connect to a share on another network without using
smart card credentials, then you can connect using your username (EID#).
Check out this link for more info:

http://www.microsoft.com/technet/security/topics/identitymanagement/smrtcdcb/sec1/smartc03.mspx#EDAA

Hope that helps.

--
Nestor L. Cabrera


"Jason" wrote:

> Hi.
>
> This is a big mess, and I've tried to orginize it as best as I can, but
> please bear with me.
>
> I'm curious about authentication and access control in windows.
>
> Compare the scenarios listed at the bottom of this post.
>
> In the first and second scenarios, the user is not asked for credentials
> because he was already authenticated.
>
> In the third and fourth scenarios, the user is asked for credentials, but it
> "appears" that the credentials are saved only for the CIFS resource that he
> accessed.
>
> In the 5th scenario, the user account exists, but since the domain uses
> smart cards, will it prompt the user for his username and password, or will
> it deny him outright with no way to get around it without logging into the
> domain using a smart card?
>
> In the 7th scenario, the user is denied access. Is there a way to assign
> user credentials for SMB sessions for users other than yourself? Like...
> If I wanted to force sa@domain.com to remember the connection information
> for a remote share outside of the network, even if either of the two servers
> were reboot, would there be an option? Because the sa@domain.com user is
> never logged in interactively, I cannot assign a login script to do this,
> can I?
>
> I suspect that the first, second, and 6th scenarios make their connections
> using Kerberos and the third and fourth are made using NTLM, but I'm not
> absolutely sure about that, and I don't know of any monitoring tools that
> would give me that information. The 5th scenario blows my mind away because
> I've never played around with smart cards.
>
> Can anyone point me to a resource that details the process by which windows
> 2000 chooses which authentication method to use? And also the names of any
> tools that would help me monitor which authentication is taking place would
> be helpful too. If nobody helps me out with this, I'll have to get a
> non-switched network and monitor the traffic using ethereal to get my
> answers, and that doesn't sound fun to me.
>
> Thanks in advance,
>
> -- Jason
>
> Scenarios:
> 1: windows 2000 domain in native mode. An authenticated user connects to a
> share on the network using CIFS
>
> 2: windows 2000 domain in mixed mode. An authenticated user connects to a
> share on the network using CIFS
>
> 3: windows 2000 domain in native mode. A user on a machine that is not part
> of the domain, but has credentials in that domain in AD tries to connect to
> a network share using CIFS. After being prompted for the credentials, that
> he types in, he is allowed access. Future accesses to that same resources
> are made without him typing in the credentials, but if he tries to connect
> to other resources on that domain, he is prompted for the exact same
> credentials again.
>
> 4: windows 2000 domain in mixed mode. A user on a machine that is not part
> of the domain, but has credentials in AD tries to connect to a network share
> using CIFS.
>
> 5: windows 2000 domain in native mode using smart cards. A user on a
> machine that is not part of the network, does not have a smart card, but a
> user exists in AD for the user.
>
> 6: a service (specifically SQL Server) is running under the security context
> of the user sa@domain.com. SQL Server tries to backup to a remote hard
> drive on the local domain and is allowed access.
>
> 7: a service (specifically SQL Server) is running under the security context
> of the user sa@domain.com. SQL Server tries to backup to a remote hard
> drive on a domain5.com domain and is denied access because there is no trust
> relationship, and they are in seperate forests. Because the applicaiton
> (sql server) is not being run by the interactive user, he is not prompted
> for credentials, and authentication cannot be established.
>
>
>


Authentication Questions and Resources