****************************

Return to index

****************************
NT's authentication procedure for incoming connections (in brief).
****************************

========================================
Account information passed by the client
========================================

9x is a bit quirky about the way it passes account info, when attempting to make a network connection. If there is a value in the "NT Domain" field (Control Panel / Network / Client for MS Networks / Properties), 9x will pass this as the domain (even if "Log in to NT domain" is disabled). If the "NT Domain" field is blank, 9x will pass its workgroup as a domain.

NT's quirk is that each NT machine (with the exception of domain controllers) believes that it is a domain (in and of itself). Each non-DC NT machine maintains its own local security, its own user database, and is capable of authenticating logons, locally.

When an NT client attempts to connect to a remote server, it will pass the account (username password and domain) of the current user. If the current users logged in locally, NT will pass its own name as the domain.

Note. NT allows you to specify a different account, when making a remote connection. If you have specified a different account, that information will be passed, instead.

=============================
NT's authentication procedure
=============================

When NT attempts to validate an incoming connection, it first looks at the Domain field. If it recognizes (trusts) the domain, it will pass the authentication through to a domain controller for that domain. If it doesn't recognize the domain, it will attempt to validate the account against its own local user account database.

In either case:

1) If the username and password match an existing account, the connection will be completed as that user (assuming that account has permission to make the connection).

2) If the username exists, but the password doesn't match (or the username doesn't exist), the 9x's user will be prompted for a password for the IPC$ share. If the user enters the correct password for that account, the connection will be completed (assuming that account has permission to make the connection).

3) If the username doesn't exist, but the Guest account is enabled and has sufficient privileges on the NT server (any NT machine sharing resources), the connection will be validated as Guest.

4) If the username doesn't exist and Guest is disabled, the 9x's user will be prompted for a password for the IPC$ share. No matter what password is entered, the connection will not be validated, since the account doesn't exist.

You can see what is happening by enabling Success and Failure auditing for Logon & Logoff on the NT server. Check the Security event log, after attempting a connection.

****************************