Microsoft Windows Authentication Techniques


When users log in to a Windows computer, they must perform several steps to authenticate themselves. The Windows OS authenticates its users using three mechanisms (protocols) provided by Microsoft.


Security Accounts Manager (SAM) Database

Windows manages user accounts and passwords in a hashed format (a one-way hash) using the Security Accounts Manager (SAM) database or Active Directory database in domains. The SAM file has an exclusive filesystem lock that is obtained and maintained by the Windows kernel. A user cannot move or copy the SAM file while Windows is running because the system locks it. The lock does not release until the OS shuts down or the system throws a blue screen exception.

The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems. and Windows mounts it in the registry under the HKLM/SAM registry hive. It stores LM or NTLM hashed passwords.


NTLM Authentication

The default authentication method, NT LAN Manager (NTLM), uses a challenge/response approach to authenticate users. The LAN Manager (LM) authentication protocol and the NTLM authentication protocol make up NTLM authentication. These protocols save user passwords in the SAM database using various hashing techniques. An authentication protocol is negotiated between the client and server in NTLM authentication. The Security Support Provider (SSP) established with Microsoft is used to achieve this:
  • The client types the username and password into the login screen.
  • Windows runs the password through a hash algorithm and generates a hash.
  • The client computer sends a login request along with a domain name to the domain controller. 
  • The domain controller generates a 16-byte random character string called a "nonce," which it sends to the client computer. 
  • The client computer encrypts the nonce with a hash of the user password and sends it back to the domain controller.
  • The domain controller retrieves the hash of the user password from the SAm and uses it to encrypt the nonce. Then, it compares the encrypted value with the value received from the client. If the value matches, the client is authenticated, and the login is successful.


Kerberos Authentication

In place of NTLM, Microsoft's default authentication protocol is now Kerberos, which offers more robust authentication for client/server applications.

Kerberos is a network authentication system that uses secret-key cryptography to give client/server applications robust authentication. The user and the server both confirm each other's identities. Messages sent through this protocol are protected against replay attacks and eavesdropping.

The Key Distribution Centre (KDC), a reliable third party, is used by Kerberos. An authentication server (AS) and a ticket-granting server (TGS) are two logically separate components.


We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment