Q103390: Network Access Validation Algorithm and Example
Article: Q103390
Product(s): Microsoft Windows NT
Version(s): 3.1 3.5 3.51 4.0
Operating System(s):
Keyword(s): kbnetwork
Last Modified: 08-AUG-2001
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Advanced Server, version 3.1
- Microsoft Windows NT Server versions 3.5, 3.51, 4.0
-------------------------------------------------------------------------------
The following is a simplified algorithm that explains how Windows NT
Advanced Server account validation is observed to function during
network access. This discussion does not cover the internal workings
of this process. With this information, you can predict Windows NT
network logon behavior under deterministic conditions.
Keep in mind when following this article that the local database is the
ONLY
database on a domain controller. But on the other server and all
workstations the local database is different than the domain controller.
NOTE: All references to Windows NT Advanced Server in this article also
include Windows NT Server.
Background Information
----------------------
When two Microsoft network systems communicate over a network, they
use a high-level protocol called server message block (SMB). These
commands are embedded within the transport protocols like NetBEUI or
TCP/IP. When a client carries out a NET USE command, it sends out a
"SMB Session Setup and X" frame.
In Windows NT, the Session Setup SMB includes the user account, a
function of the encrypted password and login domain. An Advanced
Server will look at all of this information to determine if the client
has permissions to complete the NET USE command.
Algorithm
---------
Windows NT workstation sends the following command to an Advanced
Server:
NET USE x: \\server\share
The Windows NT client sends a Session Setup SMB that contains its
Login Domain, User Account and Password.
The Advanced Server checks the SMB specified Domain name
If the domain is the Advanced Server's own Domain then
It checks its own Domain SAM[Security Account Manager]database for
a matching account.
If it finds a matching account then
The SMB password is compared to the Domain Database password.
If the password matches then
The Command Completed Successfully.
If the password does NOT match then
User is prompted for a password.
It is retested as above.
System error 1326 has occurred. Logon failure: unknown
user name or bad password.
End
If it does NOT find the account in the domain SAM database then
Guest permissions are tested.
If the Guest account is Enabled
The Command Completed Successfully.
If the Guest account is Disabled
* See Note A.
User is prompted for a password.
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
If the Domain specified in the SMB is one that the Advanced Server TRUSTS then
The Advanced Server will do pass through authentication. The
network logon request will be sent to an Advanced Server in the
specified Trusted Domain.
The Trusted Domain Advanced Server checks its own Domain database
for a matching account.
If it finds a matching account then
It looks to see if the Account is a Local or Global Account.
If the Account is Local then
Guest permissions on the Original Server are tested.
If the Guest account is Enabled
The Command Completed Successfully.
If the Guest account is Disabled
* See Note A.
User is prompted for a password.
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
If the Account is Global
The SMB password is compared to the Domain Database
password.
If the password matches then
The Command Completed Successfully.
* See Note B.
If the password does NOT match then
User is prompted for a password.
It is retested as above.
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
If it does NOT find the account in the Trusted domain
database then
Guest permissions are tested on the ORIGINAL Advanced
Server -NOT the Trusted Advanced Server. * See Note C.
If the Guest account is Enabled
User will have original server guest access.
The Command Completed Successfully.
If the Guest account is Disabled
* See Note A.
User is prompted for a password.
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
If the Domain specified in the SMB is UNKNOWN by the Advanced Server.
[A Domain was specified but it was not recognized by the Server as a
Trusted Domain or its own.]
It will check its own Domain Account Database for
a matching account
If the Advanced Server finds a matching account then
The SMB password is compared to the Domain Database password.
If the password matches then
The Command Completed Successfully.
If the password does NOT match then
The User is prompted for a password.
It is retested as above.
System error 1326 has occurred. Logon failure: unknown
user name or bad password.
End
If it does NOT find the account in the domain database then
Guest permissions are tested.
If the Guest account is Enabled
The Command Completed Successfully.
If the Guest account is Disabled
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
If the Domain specified in the SMB is NULL [None specified] then
The Advanced Server will treat this a local network logon. It
will check for a matching account in its own SAM Database.
If it finds a matching account then
The SMB password is compared to the SAM Database password.
If the password matches then
The Command Completed Successfully.
If the password does NOT match then
The User is prompted for a password.
It is retested as above.
System error 1326 has occurred. Logon failure: unknown
user name or bad password.
End
If it does NOT find the account in the local SAM Database then
The Advanced Server will Simultaneously ask another Advanced
Server in each Domain that it Trusts if it has account that
matches the SMB account.
The first Trusted Advanced Server to reply is sent a request to
perform pass through authentication of the client
information.
The Trusted Advanced Server will look in its own SAM Database.
If an account that matches the SMB account is found then
It looks to see if the Account is a Local or Global
Account.
If the Account is Local then
Guest permissions on the original Server are tested.
If the Guest account is Enabled
The Command Completed Successfully.
If the Guest account is Disabled
The user will be prompted for a password.
No matter what password is entered, user will receive
"Error 5: Access has been denied."
End
If the Account is Global
The password specified in the SMB is compared
to the SAM Database password.
If the password matches then
The Command Completed Successfully.
If the password does NOT match then
The User is prompted for a password.
It is retested as above.
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
If no Trusted Domains respond to request to identify the
account then
Guest permissions are tested on the Original Advanced Server -
not the Trusted server.
If the Guest account is Enabled
The Command Completed Successfully.
If the Guest account is Disabled
System error 1326 has occurred. Logon failure:
unknown user name or bad password.
End
Notes
-----
1. At the point that the GUEST account is disabled and the user does not have an
account, the Windows NT Server will still request a password. Although no
password will meet its requirements, it will still request it. This is a
security measure. It insures that an unauthorized user cannot tell the
difference between a case where an account exists and when the account does
not exist. Password prompting always occurs regardless if the account exists.
2. At this point, the following information is returned from the Trusted Domain
in the Response: Domain SID, User ID, Global Groups Memberships, Logon Time,
Logoff Time, KickOffTime, Full Name, Password LastSet, Password Can Change
Flag, Password Must Change Flag, User Script, Profile Path, Home Directory
and Bad Password Count.
- Guest account only matters in the domain of the Server you are attempting to
access. Guest accounts on trusted domains never come into play.
- All steps above assume Global Account unless specified as Local Account. See
the "Concepts and Planning Guide" for more information on account types.
- The actual internal process is more complicated than the steps described
above.
- This does not cover the actual pass-through authentication mechanics. For
more information, query on the following words in the Microsoft Knowledge
Base:
authentication and msv
- This does not cover the password encryption process used in Windows NT. For
more information, query on the following words in the Microsoft Knowledge
Base:
authentication and msv
A function of the One Way Encrypted password is sent.
- This article does not detail the internal workings of the MS Authentication
Module.
- The above model assumes that the Guest Account, when enabled, has no
password. This is the default in Windows NT. If a guest account password is
specified, it must match the users password that sends in the SMB.
Example
-------
The following are examples of this algorithm in action:
I am logged on to my Windows NT workstation local computer. I am using
the same account name and password that is in SCRATCH-DOMAIN Advanced
Server Domain account database. When I carry out the NET USE \\SCRATCH
(Domain Controller for SCRATCH-DOMAIN) command, the command completes
successfully. When I carry out the NET USE \\NET (Controller that
Trust SCRATCH-DOMAIN) command. I receive the error message "System
error 1326 has occurred. Logon failure: unknown user name or bad
password." My account \SCRATCH-DOMAIN\USER1 has permissions on \\NET?
What is the problem?
Configurations
--------------
Windows NT workstation:
-Login account: USER1
-Password: PSW1
-Login Domain: LOCAL1
Windows NT Advanced Server:
-Server Name: NET</ITEM>
-Advanced Server Domain: NET-DOMAIN</ITEM>
-Trust: NET-DOMAIN Trust SCRATCH-DOMAIN (Therefore,
accounts on SCRATCH-DOMAIN can be granted permissions
in the NET- DOMAIN.
- Domain Account Database for NET-DOMAIN does NOT contain an account for USER1.
- Guest Account is DISABLED.
Windows NT Advanced Server:
-Server Name: SCRATCH
-Advanced Server Domain: SCRATCH-DOMAIN
-Domain Database contains account: USER1
-Domain Database contains password: PSW1
Answer
------
In this example, the Windows NT workstation is logged on to its local
workstation domain--not the Advanced Server SCRATCH-DOMAIN where its
domain account resides.
NET USE x: \\NET\share
- When the Windows NT workstation carried out the NET USE x: \\NET\share
command, it sent out account = "USER1", password = "PSW1" and domain =
"LOCAL1" in the Session Setup SMB.
- The Advanced Server \\NET received the SMB and looked at the account name.
- It looks in its local domain account database and does not find a match.
- \\NET then looks at the SMB Domain name.
- It does not trust "LOCAL1" so it does not check any of its trusted domains.
- \\NET then checks its Guest account.
- The guest account is disabled so the "System error 1326 has occurred. Logon
failure: unknown user name or bad password." message is generated.
NET USE x: \\SCRATCH\share
- When the Windows NT workstation carried out the NET USE x: \\SCRATCH\share
command, it sent out account = "USER1", password = "PSW1" and domain =
"LOCAL1" in the Session Setup SMB.
- The Advanced Server \\SCRATCH receives the SMB and looks at the account name.
- It looks in its local domain account database and finds a match.
- \\SCRATCH then compares the SMB password to the Domain account password.
- The passwords match so the "Command Completes Successfully" message is
generated.
In these cases, the trust relationship does not come into play. If the
Workstation had been logged on to the SCRATCH-DOMAIN, the
NET USE x: \\NET\share command would have been successful.
The real answer here is to have all workstations log on to an Advanced
Server domain. In order to login, the user must specify their correct
domain, account, and password. After this is done, all NET USE type
commands will pass the correct domain, account, and password.
Administrators should try and avoid duplicate accounts on both Windows
NT workstations and multiple Advanced Server domains.
USER: Workaround
----------------
There is one workaround that can be used in these cases. From the
Windows NT workstation, you could carry out the following command
NET USE X: \\NET\SHARE /USER:SCRATCH-DOMAIN\USER1 PSW1
where
- \\NET = The computer name of the Advanced Server being accessed.
- \SHARE = The share name.
- /USER: command line parameter that lets you specify the domain,
account and password that should be specified in the Session Setup
SMB.
- SCRATCH-DOMAIN = Domain name of the Advanced Server where the user
account resides.
- \USER1 = account to be validated against.
- PSW1 = password that matches account on the domain.
For more information, type the following at a Windows NT command
prompt:
NET USE /?
NULL Domain Names
-----------------
In addition to Windows for Workgroups 3.1, other Microsoft network
clients also send NULL Domain Names in the Session Setup SMB [x73].
They will also exhibit the behavior described above in the example
problem. The following is a table of how each client handles the
Domain Name.
MS Network Domain Name
Client Specified
---------------------------------------------
Windows for Workgroups 3.1 NULL
Windows for Workgroups 3.11 Logon domain name.
MS OS/2 LAN Manager 2.0, 2.1,
and 2.2 NULL
MS-DOS LAN Manager 2.0 NULL
MS-DOS LAN Manager 2.1 & 2.2 Logon domain name. * See Note below.
(Including Windows on MS-DOS)
Windows NT 3.1 Logon domain name.
Notes
-----
The default domain name is specified in the LANMAN.INI file on the
"DOMAIN =" line. This can be overridden by the /DOMAIN: switch with
the NET LOGON command.
There are typically two representations for "NULL" in the SMB: A
zero-length domain name and a one-byte domain name consisting of the
character '?'. The Windows NT SMB server catches the '?' and
translates it to NULL before passing it to the local security
authority (LSA).
Troubleshooting
---------------
A good tip for troubleshooting network access problems is to enable
auditing by doing the following:
1. In the User Manager for Domains window, choose Audit from the Policies menu.
2. Select the Audit These Events button.
3. Select the Logon and Logoff Success and Failure options.
Now, anytime a network user access this server remotely, an audit
trail will be logged in the Event Viewer. In the Event Viewer, choose
Security from the Log menu to see the events.
For information on trust relationships, pass-through authentication,
user permissions, and domain logins, please see your Windows NT
Advanced Server "Concepts and Planning" guide or query on the
following words in the Microsoft Knowledge Base:
authentication and pass-through
Additional query words: wfw wfwg prodnt
======================================================================
Keywords : kbnetwork
Technology : kbWinNTsearch kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTAdvSerSearch kbWinNTAdvServ310 kbWinNTS351search kbWinNTS350search kbWinNT310Search
Version : 3.1 3.5 3.51 4.0
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.