Tuesday, April 15, 2008

Windows XP Authentication/Authorization Process

While discussing Microsoft's Best Practices for Domain Controllers, I began looking closely at the authentication process and the authorization process when accessing resources on the network. I had a mix of terms and understanding about this. I thought that the user was authenticated each time they opened a file or printed a document. I later found that this is actually called "authorization", which now makes sense.

This is termed as authorization because when the user is authenticated during the login process (domain) they are granted an access token. Each time the user then starts a process thread (we'll use Microsoft Word as the example), that application doesn't have a SID (Security Identification), so it "borrows" the user's token that launched the process (this is also how the "Run As" procedure works). Every file the process tries to access (such as a Word document on a network drive), also uses the user's access token. This is how the system knows when a user's account has been disabled after they have logged in, then immediately makes network resources unavailable, even though the user can still be logged into the local machine (this is because their authentication already happened when they logged on the computer - before the account was disabled).

This brings me back to the point of the domain controller in each site. If it isn't configured this way, every network file that is accessed (which for us, is most every file) or a document is printed (another network resource), the user's access token is passed to the domain controller to access that resource. If there isn't a domain controller in the site, the token must be passed over the WAN and then back to the network resource to ensure that the access token is valid (see Microsoft's Windows XP TechCenter: http://technet.microsoft.com/en-us/library/bb457115.aspx).

This has been a great exercise that confirmed my belief and corrected some of the terminology that I was using.


No comments: