User Logon Processes

To troubleshoot logon problems, you need to understand all of the components involved in the logon. A successful logon requires access to all of the following servers

 

 

PC User

DNS server

A Domain Controller for your domain

A Kerberos Key Distribution Center

A Global Catalog server to resolve UPNs and universal group membership

 

 

Users logon with a UPN User Principal Name. The domain of the UPN need not match the user's object domain. In some cases, users may use an e-mail address as the UPN which does not match the user's object domain. The Global Catalog must be searched for a user object with the matching UPN to determine the logon domain, so that the logon can proceed.

 

 

Logon with UPN
abdul@hotmail.com


Lookup UPN in AD to determine logon domain

 

 

If the domain logon fails, Windows may still allow access to the local computer. Windows caches the last few domain logon credentials. If the domain logon fails, Windows check the name/password combination against the cached credentials and allows local access if the credentials are OK. In this situation network resources are unavailable without authentication.  

 

For the logon to succeed, all group memberships must be determined. Universal Groups memberships are potentially the most difficult to resolve given that they can be created in any domain and have potential members from any domain. To resolve this difficulty, universal group membership is published in the Global Catalog. If a Global Catalog server is not available at logon, universal group membership cannot be determined. If no GC is available, administrators will logon without the authority of their universal group memberships. Other users will logon with cached credentials and will not have network access.

 

Kerberos Authentication

 

Kerberos is an authentication protocol developed at MIT in project Athena. Kerberos is known in mythology as the three-headed dog guardian of Hades.

 

Microsoft has replaced the NTChaps protocol used in Windows NT with Kerberos which is the authentication protocol for the Active Directory. Kerberos authentication is managed by KDC Key Distribution Center servers. Windows Server Domain Controllers provide the KDC service.

 

Before connecting to a server, a client must obtain a session ticket from a KDC domain controller. The tick is only valid for sessions between that particular client and the particular server. Another ticket is required to connection to another server.