What is the difference between logging into an AD Domain versus connectingto network resource?

Discussion in 'Server Security' started by JLeste, Jan 26, 2006.

  1. JLeste

    JLeste Guest

    Can someone explain the difference between logging on to a computer that
    is part of an Active Directory domain using an Active Directory user
    account, versus logging on to a local computer and then connecting to a
    network resource (where the user is then prompted for network
    credentials). i.e. a user logs into his/her home computer and then VPNs
    into the work network).

    Or a slightly different scenario, where a user logs into his/her laptop
    (that is part of the domain) offline, but then VPNs into the network
    afer they have logged in using locally cached credentials. I know for
    instance that group polices (user) aren't processed in either scenario,
    but realized I didn't entirely understand why. Or why when I logon to
    the domain from a domain member computer I can access resources from
    various servers with no prompting for credentials, where as from a
    non-domain computer I am prompted each time I try to access a different
    resource.

    Thanks
     
    JLeste, Jan 26, 2006
    #1
    1. Advertisements

  2. That is a fairly broad question.

    One way to look at things that might help runs . . .

    To use resources you are alway authenticated first,
    which is the process of verifying who you are, that
    you are "allowed" to use the account you are trying
    to use. Following this, there is then an authorization
    check to see if this "you" (the authenticated account)
    is allowed to do what it is trying to do.

    When one has logged into a domain member with a
    domain account, the authentication took place at a
    domain controller. In this case the "you" is an account
    that all domain members recognize and all will trust (as
    they trust the decisions of the domain controllers).
    When one has logged into a domain member with a local
    account, or to an non-domain member (whether with a
    local account or a domain account if in a non-trusted
    domain) the "you" is something about which machines
    in the domain know nothing and the authorization was
    by an authority in which they place no trust. In other
    words, that "you" is nobody to them.

    So, when the current login is with recognized credentials
    the accessed machine only needs to do the authorization
    for the attempted access. However, if the "you" is nobody
    to the accessed machine then it needs to start at square
    one and first find out who is attempting access (and so it
    issues an authentication prompting).
     
    Roger Abell [MVP], Jan 27, 2006
    #2
    1. Advertisements

  3. simply:

    The term "domain" means nothing than the "central database of user
    names/passwords". The fact that a computer is "a member of a domain" means
    exactly only the fact "my computer allowes access to anybody, who provides
    login/pwd that is not stored in my local database, but in the central
    database".

    When you log on, you can provide either login/pwd that is stored locally -
    local logon - then your computer consults its local registry, searching
    whether there is the login and the correct password. It it is really there,
    the user can access the computer.

    When you log on by using a login/pwd that is stored in the central database
    (the database is called "domain"), your computer finds appropriate server
    that holds the database (domain controler) and sends there the provided
    login/pwd. The domain controller tries to find the credentials in its own
    database and if it is sucessfull, returns back "ok, the user is ok". Bacause
    your computer "trusts" the central database server, it allowes you access
    the same way as with your local account.


    When you try to access a remote resource, you will always have to provide
    your login/pwd that can be checked on the remote computer. So imagine, you
    access shared file on another computer.

    Your system sends there your login/pwd you previously provided when logging
    on (it stores it for the whole time you are logged on).
    The remote computer checks the credentials the same way as it would do when
    you log on it locally - checks either its own registry or its configured
    central database.

    If the information is not correct - the user either does not exist, has been
    denied access or so, you are provided with the login/pwd dialog box to write
    a different set of credentials.


    thats all.



    O.
     
    Ondrej Sevecek, Jan 27, 2006
    #3
  4. JLeste

    JLeste Guest

    Thanks for such a coherent exlanation. And somewhere in my head I
    think I knew this.

    Jan
     
    JLeste, Jan 27, 2006
    #4
  5. You're welcome Jan.
    Just tuck away in the head "athentication + authorization"
    Everything flows from remembering these are two, and different.

    Roger
     
    Roger Abell [MVP], Jan 27, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.