Guides Cross Domain Authentication using NTLM in a Win2k Mixed Mode/NT4 Environment

Cross Domain Authentication using NTLM in a Win2k Mixed Mode/NT4 Environment




Nathan Reynolds

Some people have asked me, “What happens in the background when I access a resource in another domain?” I’m going to give you a quick and dirty about this process below. This process only pertains to NTLM, and not Win2k’s Kerberos protocol, which handles trusts in a different manner. This document outlines the background processes of accessing a resource in another domain, when the domains are either all NT4, or Win2k where there are NT4 DC’s handling cross-domain authentication requests (once you upgrade all your DC’s to win2k, the authentication mechanisms change quite a bit)

Some people have asked me, ‘What happens in the background when I access a resource in another domain?’ I’m going to give you a quick and dirty about this process below. This process only pertains to NTLM, and not Win2k’s Kerberos protocol, which handles trusts in a different manner. This document outlines the background processes of accessing a resource in another domain, when the domains are either all NT4, or Win2k where there are NT4 DC’s handling cross-domain authentication requests (once you upgrade all your DC’s to win2k, the authentication mechanisms change quite a bit)

1. Client, logged into domain ACCT attemts to access a server/resource in RESOURCE domain
2.Server passes client request to a DC in RESOURCE for authentication

3.DC in RESOURCE recognizes a different domain that itself issued the credentials, it checks to see if a trust exists, if it does, it queries WINS, to find a DC in the remote domain, and then passes the authentication hash to the DC in the user’s domain.
4.DC in user’s domain (ACCT) authenticates, and sends an authentication message back to the DC in RESOURCE
5.DC in RESOURCE passes the authentication message back to SERVER in RESOURCE
SERVER in RESOURCE generates a session based on the logon token, and grants the user access to the resource based on the user’s token

Something to remember:

-NT4 DC’s are not aware of Win2k transitive trusts. This means that NT4 DC’s in a mixed mode Win2k domain, will fail to authenticate across transitive trusts. NT4 DC’s aren’t aware, and don’t understand transitive trusts. All domains that have NT4 DC’s, and are communicating through trusts, must use NT4 based one-way trusts until all NT4 DC’s are upgraded, or removed.

Latest Posts

How to Convert a Physical Computer to a Virtual Machine

Many organizations are implementing virtualization technology into their networks to convert physical computers to virtual machines (VM). This helps reduce overall physical hardware costs,...

HPE ProLiant DL380 Gen10: Rack Server Overview and Insight

The HPE ProLiant DL380 series has consistently been a market leader in the server space. The Gen10 released in 2017 further increased HPE's market...

Best Server Management Software & Tools 2021

Finding the best server management software tools for your organization can have a major impact on the success of your business operations. Manually handling...

IBM AS/400: Lasting the Test of Time

Some server operating systems (OS) were built to survive the test of time – the IBM AS/400 is one such system.  The AS/400 (Application System/400)...

What is Disaster Recovery?

The modern organization's heavy dependence on using data to drive their business has made having a Disaster Recovery (DR) plan in place a necessity....

Related Stories