LSA 6: Describe Network Logon¶
Network Logon Process¶
Network logon refers to the process by which a user accesses network resources—such as file shares, printers, or other services—without logging directly into the local machine. Unlike local logons, which involve authenticating to a single computer, network logon extends authentication to resources that reside on other systems across a network.
Key Concepts of Network Logon¶
- Remote Authentication
-
In a network logon scenario, users authenticate to network services (such as file servers, printers, or database servers) using credentials stored in Active Directory (AD). The centralization of user credentials in AD makes it easier to manage authentication across a wide range of resources in a networked environment.
-
Authentication Protocols
-
Kerberos and NTLM are the two main authentication protocols used during network logon. These protocols ensure that users' credentials are securely validated before granting access to network resources.
-
Ticket Granting (Kerberos)
- When Kerberos is used for authentication, a Ticket Granting Ticket (TGT) is issued after the user successfully authenticates. The TGT is a time-sensitive ticket that allows the user to access various network services without needing to re-authenticate each time. This ticket reduces the overhead of repeated credential validation, improving efficiency and security.
Network Logon Process: Step-by-Step¶
1. Initiate Access¶
- The user attempts to access a network resource (e.g., a shared file, a network printer, or an application hosted on a remote server). This action triggers the network logon process.
2. Enter Credentials¶
- The user is prompted to enter their credentials (username and password). These credentials are typically stored in Active Directory for domain users or in the local SAM database for local accounts.
3. Send Credentials to LSA for Authentication¶
- The Local Security Authority (LSA) is responsible for processing the authentication request. The LSA verifies the credentials by communicating with either Active Directory (for domain-joined users) or the Security Accounts Manager (SAM) for local accounts. Depending on the configuration, either Kerberos or NTLM will be used to authenticate the user.
Authentication Method: Kerberos vs. NTLM¶
Kerberos Authentication Process¶
-
Step 4: Request TGT
- If Kerberos is used for authentication, the user sends a request for a Ticket Granting Ticket (TGT) to the Kerberos Key Distribution Center (KDC). This request is sent to the domain controller, where the KDC validates the user's credentials.
-
Step 5: Receive TGT
- Upon successful validation, the KDC issues a TGT. This ticket serves as proof of identity and contains encrypted session keys, allowing the user to authenticate to various network services without needing to enter credentials again.
-
Step 6: Request Service Ticket
- To access a specific network resource, the user presents the TGT to the KDC, requesting a Service Ticket for the desired service (e.g., a file server). The KDC verifies the request and generates a service-specific ticket.
-
Step 7: Receive Service Ticket
- The KDC sends the Service Ticket back to the user. This ticket is also encrypted and contains information about the user’s access rights for that specific service.
-
Step 8: Access Resource
- The user presents the Service Ticket to the targeted resource (e.g., a file server). The resource validates the ticket, and if everything checks out, access to the resource is granted.
NTLM Authentication Process¶
-
Step 4: Send Authentication Request
- When NTLM is used, the user's system sends an authentication request to the network resource. This request includes the user’s credentials, typically in the form of a hashed password.
-
Step 5: Receive Challenge
- The network resource (or server) responds with a challenge. This challenge is a randomly generated number that must be used in the next step to prove the user's identity.
-
Step 6: Respond to Challenge
- The user’s system computes a response to the challenge using the user’s password hash and sends it back to the server.
-
Step 7: Validate Response
- The server validates the response to the challenge. If the computed value matches the expected result, the server knows the user has the correct password and grants access.
-
Step 8: Access Granted
- Once the challenge-response process is successfully completed, the user is granted access to the requested resource.
Comparison: Kerberos vs. NTLM for Network Logon¶
Feature | Kerberos Authentication | NTLM Authentication |
---|---|---|
Security | More secure due to ticket-based authentication and mutual authentication. | Less secure, vulnerable to attacks like Pass-the-Hash. |
Protocol Type | Ticket-based authentication. | Challenge-response protocol. |
Efficiency | No need to re-authenticate for each resource; TGT allows single sign-on. | Requires re-authentication for each request. |
Use Cases | Primarily used in domain environments with Active Directory. | Used in workgroup environments or when Kerberos is unavailable. |
Scalability | Well-suited for large, distributed networks. | Better suited for smaller, less complex networks. |
Mutual Authentication | Supports mutual authentication between clients and servers. | Does not support mutual authentication. |
Conclusion¶
Network logon enables users to access resources on a network by authenticating with credentials stored in a centralized directory, such as Active Directory. The logon process relies on either Kerberos or NTLM for authentication, depending on the configuration. Kerberos offers stronger security and efficiency through ticket-based authentication, allowing users to authenticate once and access multiple resources without repeated logins. NTLM, while still in use, is less secure and is generally used for legacy systems or fallback scenarios.