nt-part2_39
Analysis of the Security of Windows NT
1 March 1999
39
netlogon will wait for a request to log on a user. An example of the event stated above
is described in appendix B.
FIGURE 16. Passthrough authentication in NT
5.4.2 Pass-through Logon
When a user is trying to logon to a computer that is not a DC and gives a domain name
that is different from the name of the computer a pass-through logon will occur. The
steps involved in this type of logon is similar to does described in, see section 5.3, the
only difference is that the authentication package will ask the DC for the required
domain to authenticate the user by using netlogon. The events that occur are the fol-
lowing (assuming netlogon already has a secure channel established to the DC):
1. The authentication package will send the hashed password, the domain name and
the user name to netlogon.
2. Netlogon will send a NetLogonSamLoggon RPC message to the DC using the
secure channel. This message will contain among other things the 16 byte RC4
encryption of the passwords, both LM and NT-native, using the session key as the
encryption key, the domain and user names and a time stamp. See appendix A.4
3. The DC will compare the information it got with the information stored in its SAM
database. It will then reply and if the logon was successful send a copy (almost) of
the SAM entries for that user to the netlogon process on the client.
4. Netlogon will pass the information it received to the authentication package and the
logon process will continue as described earlier.
5.4.3 Remote Logon
This type of logon has unfortunately been called a number of things, remote logon, net-
work logon and secondary logon. This type of logon will occur when a user accesses
resources on other computers than the on s/he is interactively logged in to even if that
computer is part of the domain. In this case netlogons secure channel is not used
Login
Security
account
manager
User
accounts
database
Netlogon
Security
account
manager
User
accounts
database
Netlogon
Domain
logon
Local logon
Local Computer
Domain Controller
Local logon
Secure
Comm.
Channel