1.3 Overview

Authentication protocols such as NT LAN Manager (NTLM), Kerberos, Secure Sockets Layer (SSL)/Transport Layer Security (TLS), and Digest authentication are used by a variety of higher-layer protocols to provide security services.

The Authentication Protocol Domain Support Protocol specifies the communication between the server and the domain controller for each of the protocols.

Each of the protocols has a specific exchange with the domain controller (DC) as follows:

  • Authenticating the client: NTLM and digest.

  • Obtaining authorization information, such as group memberships: NTLM, digest, and SSL/TLS.

  • Verifying the authorization information: The server operating system for Kerberos privilege attribute certificate (PAC) [MS-PAC].

All of these back-end, server-to-server protocols in turn use the Netlogon Remote Protocol [MS-NRPC] for their transport to the DC. Specifically, the protocols behave as follows:

  • The NT LAN Manager (NTLM) Authentication Protocol [MS-NLMP] uses the Netlogon Remote Protocol [MS-NRPC] to communicate with the DC to complete the authentication of a domain account during an interactive logon or network logon. As user account information is maintained by the DC, only the DC can validate user credentials and complete the authentication sequence. The server then uses the authorization information returned by the DC to make authorization decisions.

  • The server operating system uses Netlogon generic pass-through ([MS-NRPC] section 3.2) to validate the PAC [MS-PAC] that it receives in the ticket from the client. Because PAC information can be altered by the server, the operating system might contact the DC to validate the PAC and ensure its integrity.

  • The Digest Protocol Extensions [MS-DPSP] is used by deployments in which users are authenticated based on user name and password by using the Digest authentication mechanism. The Digest authentication mechanism itself defines how the client authenticates the user to the server (by proving knowledge of the password), and optionally provides integrity and confidentiality of subsequent messages exchanged between the client and the server. Digest validation is performed between the server and the DC during the initial client/server Digest–based authentication as follows:

    1. The server (which does not have access to the user's password) sends a Digest validation request (section message to the domain controller by using the generic pass-through capability of the Netlogon Remote Protocol, as specified in [MS-NRPC] section 3.2.

    2. The DC looks up the user's password and uses it to verify the validity of the digest input. The digest input is originally generated by the Digest client using the user's password, as specified in [RFC2617] and [RFC2831]).

    3. On successful validation, the domain controller returns the PAC in the DIGEST_VALIDATION_RESP message. The PAC represents the user's identity and group memberships, suitable for making authorization decisions.

  • SSL/TLS and other protocols that authenticate users via the X.509 certificates [X509] can use the Remote Certificate Mapping Protocol [MS-RCMP], which relies on the generic pass-through capability of Netlogon to retrieve authorization information associated with users. This behavior is specified in [MS-RCMP].