Logging on Interactively

Users have a natural tendency to think that logging on to an account in a Windows 2000 domain gives them access to the network. That is, of course, not true. When the Kerberos protocol is used for network authentication, what you actually get when you first log on is access to the domain's authentication service. Specifically, you get a TGT that you can present when requesting session tickets for other services in the domain.

When you log on to a domain account from a computer running Windows 2000, you always need at least one session ticket — a ticket for the computer where you are logging on. The reason for this is quite simple. You cannot use a computer that is running Windows 2000 without using at least some system services. When you use a system service, you become a client of the service, and to become a client you must first be authenticated by the service. For that to happen, you'll need a session ticket. On computers running Windows 2000, system services run under the Local System account on the computer, and when the computer is joined to a domain, these services participate in the domain by using the computer's domain account. Domain users gain admission to services running as Local System by presenting a session ticket for the computer where the services are running. Domain users who log on interactively are no exception. They, too, must have a session ticket for the computer before they are allowed access to the computer's services.