Authentication Services and Components
All users, groups of users, or computers that participate in a domain have accounts and are called security principals. Security principals operate within a security context. The security context defines the rights and permissions a given account has in a specific situation. For example, a user may be limited in capabilities when logging on remotely instead of locally, or be given more capabilities when logging on from Workstation A instead of Workstation B. Before these capabilities can be granted though, the account must be authenticated. How Windows actually authenticates an account is a relatively straightforward process that utilizes a number of components. This section covers the building blocks of authentication in Windows XP, for both stand-alone workstations and domain members.
Credential Types and Validation
Credentials are the pieces of evidence that substantiate a claim of identity. Business cards, drivers' licenses, passports, and so forth are all types of credentials commonly used to verify identity. Some types of credentials are considered a stronger guarantee of someone's identity: a driver's license is a stronger credential than a health club membership card.
Validation is the process by which a credential is confirmed as genuine. The body requesting the credentials verifies that the credentials are acceptable according to specific standards before granting authorization to complete a transaction. Windows verifying that the username and password combo entered by a user is analogous to a cashier verifying that the photo on a driver's license matches the person presenting it.
The strength of the credential is not just based on the credibility of the issuing body though. It is also based on the authenticity of the credential itself (for example, is it possible this credential has been tampered with?). Windows XP supports three types of credentials that offer varying levels of security for the resources that are being protected: passwords, Kerberos tickets, and smart cards. We cover configuration and management of these credential types later in this chapter.
Local Security Authority
The Local Security Authority, or LSA, is responsible for validation of credentials in Windows. The LSA is also responsible for management of local security and audit policies and the generation of tokens. Exactly how authentication occurs depends on where the account was created:
For a user logging on to a stand-alone workstation, the authentication occurs in the local Security Accounts Manager (SAM).
For a user logging on to a Windows NT 4.0 domain, authentication occurs in the domain SAM.
For a user logging on to a Windows 2000 Active Directory domain, authentication occurs in the Active Directory.
The Security Accounts Manager is a protected subsystem that manages the accounts database. The SAM can be located locally or on a Windows NT 4.0 domain controller. The local SAM manages accounts used only on that computer, while the domain SAM manages accounts, both computer and user, for the domain. The Active Directory is only available in Windows 2000 and Windows 2003 domain controllers.
Regardless of where an account is authenticated, however, the LSA still handles all validation tasks at the local level. In other words, no matter where your account resides, the LSA still validates that your account is listed in an account database trusted by the LSA before passing it along to the appropriate authentication provider. Figure 16.1 illustrates the LSA and the various authentication providers.
Figure 16.1 The Local Security Authority