2.1.1 Interactive Logon Authentication

This section describes the interactive logon authentication process and the methods by which authentication protocols work in conjunction to prove the user's identity. Interactive logon authentication is used to grant user access to both local and domain resources. Using a computer that is running Windows in a network environment requires access to system services. Each client that requests access to a system service is authenticated by that service. Authentication requires the service to have proof of the user's credentials. The interactive logon task begins when a user enters credentials to log on by using the Windows user interface. The credentials consist of a user name and password for logon with a local account, and the user's user name, password, and domain for logon with a domain account. A smart card containing a user's public key information can also be used after the user obtains and unlocks it with a personal identification number (PIN).

Users can perform an interactive logon by using a local user account for local logon or a domain account for domain logon. The interactive logon process confirms the user's identification by using the security account database on the user's local computer or by using the domain's directory service. This mandatory logon process cannot be turned off for users in a domain.

A user can interactively logon to a computer in one of two ways:

  • Locally, when the user has direct physical access to the computer.

  • Remotely, through Terminal Services, in which case the logon is further qualified as remote interactive. Microsoft Terminal Server uses the CredSSP Protocol [MS-CSSP] to securely delegate the user's password or smart card PIN from the client to the server to remotely log on the user and to establish a Terminal Services session.

After an interactive logon, Windows runs applications on the user's behalf, and the user interacts with those applications to access protected resources either locally or on remote computers.

Local logon

Logon to a local account grants a user access to Windows resources on the local computer and requires that the user has a user account in the account database maintained by the Security Account Manager (SAM) on the local computer. The SAM protects and manages user and group information in the form of security accounts that are stored in the local computer registry. The computer can have network access, but it is not required. Local user account and group membership information is used to manage access to local resources.

Domain logon

A domain logon is a process that proves the identity of the user to the domain controller, implies eventual user access to local and domain resources, and requires that the user has a user account in an account database, such as Active Directory. The computer needs to have an account in the Active Directory domain and be physically connected to the network. Users need the privileges required to log on to a local computer or a domain. Domain user account information and group membership information is used to manage access to domain and local resources.

Smart card domain logon

Logging on to a domain with a smart card provides a strong form of authentication, because smart cards use keys that are stronger than a human can easily remember, and because two factors are required: the PIN and the card.

For interactive domain logon, the validation process relies on authenticating domain user credentials against the domain's directory service.