2.5.5.1.1 Authenticate Client Identity by Using a User Name and Password

  • Article

The following describes authentication of a client user or computer by using a user name and password.

Goal: To authenticate the identity of a user or computer to the AA by providing a user name or computer name and a password.

Context of Use: Applies when the user interactively logs on to the domain or when the user tries to access a protected resource on the network.

Direct Actor: The Authentication Client.

Primary Actor: The LSA or the client application.

Supporting Actors: The AA, the account DB, and the PKI.

Preconditions:

  • The identities of the user and the client computer are configured in the account database.

  • The client computer and the AA can communicate with each other.

  • The LSA has obtained the credential information for the user or computer identity and has submitted the credential information to the Authentication Client. In the case of user identity authentication, the LSA has obtained the credential information from the user (for example, by using a logon UI).

Minimal Guarantees: If the identity of the user or computer cannot be proven to the AA by using the underlying authentication protocol, authentication fails. The client application or the user receives an error message that indicates the reason for the failure.

Success Guarantees: The client computer has a TGT for the user or computer account, which is used to authenticate to servers. The user or computer identity is successfully proven to the client computer, and the client computer has group information and other information about the user.

Main Success Scenario: Using the Kerberos Protocol

  1. To prove the identity of the user or computer, the Authentication Client submits to the AA credential information including a user name or computer account name, a timestamp that is encrypted with a key derived from the user's or computer's password, and a domain name.

  2. The AA verifies the credential information against the account DB. When verification succeeds, the AA returns to the Authentication Client a TGT and a session keyencrypted with a key that is derived from the user's or computer's password.

Alternative Scenario: This scenario occurs when FAST mode is supported and configured on both the Authentication Client and when the AA and the Authentication Client have obtained the TGT for the computer account, as described in the Main Success Scenario.

  1. To prove the user identity, the Authentication Client submits to the AA a FAST AS-REQ message that contains user credential information. The information includes a user name, a timestamp that is encrypted with a key derived from the user's password, and a domain name.

  2. The AA verifies the user credential information against the account database. When verification succeeds, the AA returns a FAST AS-REP message to the Authentication Client.  FAST AS-REP is a Kerberos AS-REP message ([RFC4120] section 3.1) that contains a TGT and a session key encrypted with a key derived from the user's password.

Postconditions: The user or computer identity is proven to the AA, and the Authentication Client receives a TGT and a session key for further authentication processing.