User Login Process

All users must authenticate themselves to NT, whether they want to use the local computer running NT Workstation or access the networked resources under the aegis of an NT domain. Without such an authentication, users can't use any computer under NT control (although it may be possible to gain limited access to a local computer by booting up DOS). NT authentication begins when the user invokes the Trusted Path in one of several ways to display a login dialog box. The user can press the Control-Alt-Delete key combination or pull down the Start menu and select Shut Down, which gives the user the option to log out the current user and then log in as a new user. Users who have installed Active Desktop with Internet Explorer 4.0 can also choose logout directly from the Start menu. Regardless of how the user invokes the Trusted Path, the next step is to provide a valid user name and password to the Local Security Authority. The Local Security Authority then invokes one or more local authentication packages, which, if they exist, may be custom-written and need not be the one bundled with NT. The local authentication package determines if the user name and the cryptographic hash of the password match the entry in the SAM, and if so, returns the Security Identifier, or SID, for that user. NT stores the SID in the SAM. The SAM does not hold the passwords themselves, but instead a 32-byte cryptographic hash of the passwords. Users who are not administrators cannot view the contents of the SAM. The only access right to the SAM that ordinary users have is to update their own passwords based on proof of knowledge of the old password. Administrators set up password policy and users control their passwords through NT's Domain User Manager tool. If the user name isn't in the local SAM--that is, this is a domain user--or there is no local authentication package, the Local Security Authority can forward the user name and password to a network-based authentication package, such as that provided by an NT domain controller. When authenticating users in a client/server relationship, NT employs a challenge-response protocol known as Windows NT Challenge/Response. The protocol uses the following process for users logging in to network domains: