Cross Domain Authentication using NTLM in a Win2k Mixed Mode/NT4 Environment

By ServerWatch Staff (Send Email)
Posted Dec 20, 2000


Nathan Reynolds

Some people have asked me, "What happens in the background when I access a resource in another domain?" I'm going to give you a quick and dirty about this process below. This process only pertains to NTLM, and not Win2k's Kerberos protocol, which handles trusts in a different manner. This document outlines the background processes of accessing a resource in another domain, when the domains are either all NT4, or Win2k where there are NT4 DC's handling cross-domain authentication requests (once you upgrade all your DC's to win2k, the authentication mechanisms change quite a bit)

Some people have asked me, 'What happens in the background when I access a resource in another domain?' I'm going to give you a quick and dirty about this process below. This process only pertains to NTLM, and not Win2k's Kerberos protocol, which handles trusts in a different manner. This document outlines the background processes of accessing a resource in another domain, when the domains are either all NT4, or Win2k where there are NT4 DC's handling cross-domain authentication requests (once you upgrade all your DC's to win2k, the authentication mechanisms change quite a bit)

1. Client, logged into domain ACCT attemts to access a server/resource in RESOURCE domain
2.Server passes client request to a DC in RESOURCE for authentication
3.DC in RESOURCE recognizes a different domain that itself issued the credentials, it checks to see if a trust exists, if it does, it queries WINS, to find a DC in the remote domain, and then passes the authentication hash to the DC in the user's domain.
4.DC in user's domain (ACCT) authenticates, and sends an authentication message back to the DC in RESOURCE
5.DC in RESOURCE passes the authentication message back to SERVER in RESOURCE SERVER in RESOURCE generates a session based on the logon token, and grants the user access to the resource based on the user's token



Something to remember:

-NT4 DC's are not aware of Win2k transitive trusts. This means that NT4 DC's in a mixed mode Win2k domain, will fail to authenticate across transitive trusts. NT4 DC's aren't aware, and don't understand transitive trusts. All domains that have NT4 DC's, and are communicating through trusts, must use NT4 based one-way trusts until all NT4 DC's are upgraded, or removed.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.