N
Nick
I have a question that is a bit troubling to
me at this moment. I was setting up two windows 2003
domains, domain1 and domain2, on the same physical LAN.
There were no trusts between them or any shared resources.
It so happens that the administrator accounts were
named "administrator" (by default) with the same password
for both administrators on both domains. I logged onto the
domain controller for domain1 as "administrator". Since
this is a domain controller, I'm guessing that the
authentication protocol used is Kerberos for
authentication into the system.
Here are the steps: ( Winlogon sends the information to
the LSA. When the logon request reaches the LSA, it passes
the request to the Kerberos authentication package. Then
it sends an initial authentication request (AS_REQ), which
includes the user credentials and an encrypted timestamp
to the KDC. This is a request for authentication and a
TGT. The KDC uses the secret key to decrypt the timestamp
and issues a TGT to the client. This TGT (AS_REP) contains
a session key, the name of the user to whom the session
key was issued, the maximum lifetime of the ticket, and
any additional data fields or settings that might be
required. The AS_REP is encrypted in the user's key and
returned to the user. The ticket is encrypted in the KDC's
key and enclosed in the AS_REP. The authorization data
portion of the TGT contains the SID for the user account
and SIDs for any global and universal groups to which the
user belongs. When the user attempts to access a resource,
the client system uses the TGT to request a service ticket
(TGS_REQ) from the Kerberos ticket-granting service on the
domain controller. The TGS then issues a service ticket
(TGS_REP) to the client. This service ticket is encrypted
using the server's secret key. The SIDs are copied by the
Kerberos service from the TGT into all subsequent service
tickets obtained from the Kerberos service. The client
presents this service ticket directly to the requested
network service. The service ticket proves both the user's
identity and permissions to the service, and the service's
identity to the user. 1)
I don't believe that there is a way for the
Kerberos protocol to be used to authenticate between un-
trusted domains even if they reside on the same physical
segment. Therefore the information cached within the LSA,
maybe information to make the authenticator for Kerberos
or other pieces of information to use for other forms of
authentication, is used to try and authenticate. So, the
next form of authentication is NTLM. Now, my understanding
of NTLM is that it uses salts, therefore, the same user
name with the same password on different domains does not
equal the same person and a pass-through authentication
will not work. The only way is to re-authenticate with the
correct credentials, i.e. using the domain name to make
the proper authentication token. I began browsing in
between the domains using network neighborhood and even
mapped a drive to the other domain. I did all this and I
had not re-authenticated into domain2. Seeing that there
is no trusts set up in between the domains what
authentication protocol did this default to? The only
authentication protocols available to my knowledge are
NTLMv2, NTLMv1 and LANManager. It seems that it defaulted
to LM and used basic credentials (no salts) cashed in LSA
to make it seem like pass-through authentication access.
Is this the case or am I completely off base? Should an
administrator logged on to a domain controller in domain1
be able to freely access resources on un-trusted domain2
if he has the same user id and password as a user in
domain2?
1 (reference-
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/winxppro/reskit/prdp_log_cklv.asp)
me at this moment. I was setting up two windows 2003
domains, domain1 and domain2, on the same physical LAN.
There were no trusts between them or any shared resources.
It so happens that the administrator accounts were
named "administrator" (by default) with the same password
for both administrators on both domains. I logged onto the
domain controller for domain1 as "administrator". Since
this is a domain controller, I'm guessing that the
authentication protocol used is Kerberos for
authentication into the system.
Here are the steps: ( Winlogon sends the information to
the LSA. When the logon request reaches the LSA, it passes
the request to the Kerberos authentication package. Then
it sends an initial authentication request (AS_REQ), which
includes the user credentials and an encrypted timestamp
to the KDC. This is a request for authentication and a
TGT. The KDC uses the secret key to decrypt the timestamp
and issues a TGT to the client. This TGT (AS_REP) contains
a session key, the name of the user to whom the session
key was issued, the maximum lifetime of the ticket, and
any additional data fields or settings that might be
required. The AS_REP is encrypted in the user's key and
returned to the user. The ticket is encrypted in the KDC's
key and enclosed in the AS_REP. The authorization data
portion of the TGT contains the SID for the user account
and SIDs for any global and universal groups to which the
user belongs. When the user attempts to access a resource,
the client system uses the TGT to request a service ticket
(TGS_REQ) from the Kerberos ticket-granting service on the
domain controller. The TGS then issues a service ticket
(TGS_REP) to the client. This service ticket is encrypted
using the server's secret key. The SIDs are copied by the
Kerberos service from the TGT into all subsequent service
tickets obtained from the Kerberos service. The client
presents this service ticket directly to the requested
network service. The service ticket proves both the user's
identity and permissions to the service, and the service's
identity to the user. 1)
I don't believe that there is a way for the
Kerberos protocol to be used to authenticate between un-
trusted domains even if they reside on the same physical
segment. Therefore the information cached within the LSA,
maybe information to make the authenticator for Kerberos
or other pieces of information to use for other forms of
authentication, is used to try and authenticate. So, the
next form of authentication is NTLM. Now, my understanding
of NTLM is that it uses salts, therefore, the same user
name with the same password on different domains does not
equal the same person and a pass-through authentication
will not work. The only way is to re-authenticate with the
correct credentials, i.e. using the domain name to make
the proper authentication token. I began browsing in
between the domains using network neighborhood and even
mapped a drive to the other domain. I did all this and I
had not re-authenticated into domain2. Seeing that there
is no trusts set up in between the domains what
authentication protocol did this default to? The only
authentication protocols available to my knowledge are
NTLMv2, NTLMv1 and LANManager. It seems that it defaulted
to LM and used basic credentials (no salts) cashed in LSA
to make it seem like pass-through authentication access.
Is this the case or am I completely off base? Should an
administrator logged on to a domain controller in domain1
be able to freely access resources on un-trusted domain2
if he has the same user id and password as a user in
domain2?
1 (reference-
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/winxppro/reskit/prdp_log_cklv.asp)