Windows Logon Scenarios
Updated: April 11, 2013
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
This reference topic summarizes common Windows logon scenarios.
The Windows operating systems requires all users to log on to access local and network resources. Windows secures resources by implementing the interactive logon process, which provides authentication of users. After a user is authenticated, Windows uses the authorization and access control technologies to implement the second phase of protecting resources—determining if an authenticated user is authorized to access a resource.
The logon process begins when a user enters credentials into the Log On to Windows dialog box, or when the user inserts a smart card into the smart card reader, or interacts with a biometric device. Users can perform an interactive logon by using a local user account or a domain account to log on to a computer.
For a diagram and description of the interactive logon process and a description of the components see the following:
Local and domain logon
Credentials that the user presents for a domain logon contain all the elements necessary for a local logon, such as account name and password or certificate, plus Active Directory domain information. The process confirms the user’s identification to the security database on the user’s local computer or to an Active Directory domain. This mandatory logon process cannot be turned off for users in a domain.
Users can perform an interactive logon to a computer in either of two ways:
Locally, when the user has direct physical access to the computer, or when the computer is part of a network of computers.
A local logon grants a user access to Windows resources on the local computer. A local logon requires that the user have a user account in the Security Accounts Manager (SAM) on the local computer. The SAM protects and manages user and group information in the form of security accounts stored in the local computer registry. The computer can have network access, but it is not required. Local user account and group membership information is used to manage access to local resources.
A network logon grants a user access to Windows resources on the local computer in addition to any resources on networked computers as defined by the credential’s access token. Both a local logon and a network logon require that the user have a user account in the Security Accounts Manager (SAM) on the local computer. Local user account and group membership information is used to manage access to local resources, and the access token for the user defines what resources can be accessed on networked computers.
A local logon and a network logon are not sufficient to allow the user and computer from accessing and using domain resources.
Remotely, through Terminal Services or Remote Desktop Services (RDS), in which case the logon is further qualified as remote interactive.
After an interactive logon, Windows runs applications on the user's behalf and the user can interact with those applications.
A local logon grants a user access to Windows resources on the local computer (or resources on networked computers). If the computer is joined to a domain, then Winlogon attempts to log on to that domain.
A domain logon grants a user access to local and domain resources. A domain logon requires that the user have a user account in Active Directory. The computer must have an account in the Active Directory domain and be physically connected to the network. Users must also have the user rights to log on to a local computer or a domain. Domain user account information and group membership information are used to manage access to domain and local resources.
A network logon can only be used after user, service, or computer authentication has taken place. During network logon, the process does not use the logon dialog boxes, such as the Log On to Windows dialog box, to collect data. Instead, previously established credentials or another method to collect credentials is used. This process confirms the user’s identification to any network service that the user is attempting to access. This process is typically invisible to the user unless alternate credentials need to be provided.
To provide this type of authentication, the security system includes these authentication mechanisms:
Kerberos version 5 protocol
Public key certificates
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
NTLM (for compatibility with Windows NT 4.0−based systems)
Smart card logon
Smart cards can be used to log on only to domain accounts, not local accounts. Smart card authentication requires the use of the Kerberos authentication protocol. Beginning with Windows 2000 Server, Microsoft implemented a public key extension to the Kerberos protocol’s initial authentication request. In contrast to shared secret key cryptography, public key cryptography is asymmetric; that is, two different keys are needed—one to encrypt, another to decrypt. Together, the keys needed to perform both operations make up a private/public key pair.
To initiate a typical logon session, a user must prove his or her identity by providing information known only to the user and the underlying Kerberos infrastructure. The secret information is a cryptographic shared key derived from the user’s password. A shared secret key is symmetric, which means that the same key is used for both encryption and decryption.
When a smart card is used in place of a password, a private/public key pair stored on the user’s smart card is substituted for the shared secret key derived from the user’s password. The private key is stored only on the smart card. The public key can be made available to anyone with whom the owner wants to exchange confidential information.
For more information about the smart card logon process in Windows, see How Smart Card Logon Works in Windows.
A device is used to capture and build a digital characteristic of an artifact, such as a fingerprint. This digital representation is then compared to a sample of the same artifact, and when the two are successfully compared, authentication can occur. Computers running Windows Server 2008 R2 and Windows 7 can be configured to accept this form of logon. However, if biometric logon is only configured for local logon, the user needs to present domain credentials when accessing an Active Directory domain.
For information about how Windows manages credentials submitted during the logon process, see Credentials Management in Windows Authentication.