Tuesday, January 27, 2015

Domain User Login Process

Domain User Login Process 

Many of us as Windows Server Engineer knows and aware well about how to make Domain, How to join a PC to Domain. How to troubleshoot about slow login process. But very few from us as Engineer knows and think about what exactly process runs in background when user logins to a Domain. It takes few seconds to login but in this few seconds lots of process runs in background. Let us try to see and understand what exactly happens in background when user logins.

When User Logon to Workstation below steps happens:-

When a user enters his password and hits enter key, the Kerberos Client on his Workstation converts his password to an encryption key. Kerberos is based on concept of symmetric encryption keys, means same keys were used to encrypt and decrypt message. This also referred as Share private key.

After Kerberos Client converted User's password to an encryption key, its saves in Workstation's credential cache. The Workstation than sent an authentication request to DC or KDC (Key Distribution Center). The authentication request identifies User, and names the service that user is requesting access to, and some per-authentication data, which proves that User knows password. 
First portion of Authentication request identifies User and ask for access to TGS (Ticket Granting Service). TGS is service on KDC that issues tickets for access to other services. All of services within Kerberos  domain trust the TGS, so they know if ticket was issued by TGS, User successfully authenticated him/her self and is really who he/she claims to be. The second part of authentication request contain the per-authentication data, and is a generic timestamp encrypted with User's long-term key.

When KDC receives authentication request, it checks the local AD database for User's password. Decrypts the per-authentication info that was sent in the package, and if the timestamp is within the permissible guidelines, it send User  TGT (Ticket Granting Ticket) that User is going to access TGS in future.When User's workstation receives a reply from the KDC, it decrypts the session ticket with User's password and stores same is credential cache.This is the authentication info that User's workstation will use to communicate with KDC from now onwards. Next time when User log on, session ticket will be completely different  as KDC does not use same session keys. The Workstation also extracts the TGT, which will still be encrypted with KDC's long term key.

This is the process which happens in background when User will hit Enter key after putting Username and Password.