Jason
07-09-2005, 11:51 PM
Hi.
This is a big mess, and I've tried to orginize it as best as I can, but
please bear with me.
I'm curious about authentication and access control in windows.
Compare the scenarios listed at the bottom of this post.
In the first and second scenarios, the user is not asked for credentials
because he was already authenticated.
In the third and fourth scenarios, the user is asked for credentials, but it
"appears" that the credentials are saved only for the CIFS resource that he
accessed.
In the 5th scenario, the user account exists, but since the domain uses
smart cards, will it prompt the user for his username and password, or will
it deny him outright with no way to get around it without logging into the
domain using a smart card?
In the 7th scenario, the user is denied access. Is there a way to assign
user credentials for SMB sessions for users other than yourself? Like...
If I wanted to force sa@domain.com to remember the connection information
for a remote share outside of the network, even if either of the two servers
were reboot, would there be an option? Because the sa@domain.com user is
never logged in interactively, I cannot assign a login script to do this,
can I?
I suspect that the first, second, and 6th scenarios make their connections
using Kerberos and the third and fourth are made using NTLM, but I'm not
absolutely sure about that, and I don't know of any monitoring tools that
would give me that information. The 5th scenario blows my mind away because
I've never played around with smart cards.
Can anyone point me to a resource that details the process by which windows
2000 chooses which authentication method to use? And also the names of any
tools that would help me monitor which authentication is taking place would
be helpful too. If nobody helps me out with this, I'll have to get a
non-switched network and monitor the traffic using ethereal to get my
answers, and that doesn't sound fun to me.
Thanks in advance,
-- Jason
Scenarios:
1: windows 2000 domain in native mode. An authenticated user connects to a
share on the network using CIFS
2: windows 2000 domain in mixed mode. An authenticated user connects to a
share on the network using CIFS
3: windows 2000 domain in native mode. A user on a machine that is not part
of the domain, but has credentials in that domain in AD tries to connect to
a network share using CIFS. After being prompted for the credentials, that
he types in, he is allowed access. Future accesses to that same resources
are made without him typing in the credentials, but if he tries to connect
to other resources on that domain, he is prompted for the exact same
credentials again.
4: windows 2000 domain in mixed mode. A user on a machine that is not part
of the domain, but has credentials in AD tries to connect to a network share
using CIFS.
5: windows 2000 domain in native mode using smart cards. A user on a
machine that is not part of the network, does not have a smart card, but a
user exists in AD for the user.
6: a service (specifically SQL Server) is running under the security context
of the user sa@domain.com. SQL Server tries to backup to a remote hard
drive on the local domain and is allowed access.
7: a service (specifically SQL Server) is running under the security context
of the user sa@domain.com. SQL Server tries to backup to a remote hard
drive on a domain5.com domain and is denied access because there is no trust
relationship, and they are in seperate forests. Because the applicaiton
(sql server) is not being run by the interactive user, he is not prompted
for credentials, and authentication cannot be established.
This is a big mess, and I've tried to orginize it as best as I can, but
please bear with me.
I'm curious about authentication and access control in windows.
Compare the scenarios listed at the bottom of this post.
In the first and second scenarios, the user is not asked for credentials
because he was already authenticated.
In the third and fourth scenarios, the user is asked for credentials, but it
"appears" that the credentials are saved only for the CIFS resource that he
accessed.
In the 5th scenario, the user account exists, but since the domain uses
smart cards, will it prompt the user for his username and password, or will
it deny him outright with no way to get around it without logging into the
domain using a smart card?
In the 7th scenario, the user is denied access. Is there a way to assign
user credentials for SMB sessions for users other than yourself? Like...
If I wanted to force sa@domain.com to remember the connection information
for a remote share outside of the network, even if either of the two servers
were reboot, would there be an option? Because the sa@domain.com user is
never logged in interactively, I cannot assign a login script to do this,
can I?
I suspect that the first, second, and 6th scenarios make their connections
using Kerberos and the third and fourth are made using NTLM, but I'm not
absolutely sure about that, and I don't know of any monitoring tools that
would give me that information. The 5th scenario blows my mind away because
I've never played around with smart cards.
Can anyone point me to a resource that details the process by which windows
2000 chooses which authentication method to use? And also the names of any
tools that would help me monitor which authentication is taking place would
be helpful too. If nobody helps me out with this, I'll have to get a
non-switched network and monitor the traffic using ethereal to get my
answers, and that doesn't sound fun to me.
Thanks in advance,
-- Jason
Scenarios:
1: windows 2000 domain in native mode. An authenticated user connects to a
share on the network using CIFS
2: windows 2000 domain in mixed mode. An authenticated user connects to a
share on the network using CIFS
3: windows 2000 domain in native mode. A user on a machine that is not part
of the domain, but has credentials in that domain in AD tries to connect to
a network share using CIFS. After being prompted for the credentials, that
he types in, he is allowed access. Future accesses to that same resources
are made without him typing in the credentials, but if he tries to connect
to other resources on that domain, he is prompted for the exact same
credentials again.
4: windows 2000 domain in mixed mode. A user on a machine that is not part
of the domain, but has credentials in AD tries to connect to a network share
using CIFS.
5: windows 2000 domain in native mode using smart cards. A user on a
machine that is not part of the network, does not have a smart card, but a
user exists in AD for the user.
6: a service (specifically SQL Server) is running under the security context
of the user sa@domain.com. SQL Server tries to backup to a remote hard
drive on the local domain and is allowed access.
7: a service (specifically SQL Server) is running under the security context
of the user sa@domain.com. SQL Server tries to backup to a remote hard
drive on a domain5.com domain and is denied access because there is no trust
relationship, and they are in seperate forests. Because the applicaiton
(sql server) is not being run by the interactive user, he is not prompted
for credentials, and authentication cannot be established.