Troubleshoot user authentication issues: Microsoft Windows Server 2003 supports various authentication protocols, as well as a key feature known as Stored User Names and Passwords for client access to network resources.
The topics are discussed in the following pages. Authentication Process
Authentication is based on two processes in Microsoft Windows Server 2003. The first process is the interactive logon. The interactive logon is used to confirm the user's identity. This verification is done by either a local computer account or a domain account. The process varies for each of these accounts.
• Local computer account - A client simply logs onto the computer and the credentials in the local security account database (SAM) are used.
• Domain Account - A client logs onto the network with a password or a smart card and the credentials stored in the Active Directory are used to give access to network resources. When a client logs into the domain using a domain account, they can then access any resources in the domain as well as other trusting domains.
Domain User Accounts using Kerberos:
Kerberos policies do not exist in local computer policy, but only for domain user accounts.
Before we jump into the Kerberos policies, you need to know about tickets. Tickets are used as a set of identification and are issued by a domain controller for user authentication. There are two different types of tickets - service tickets and ticket-granting tickets. Kerberos policies may be used to enforce any of the following security features:
• Enforce User logon restrictions - Open the Policy and expand the console tree Computer Configuration | Windows Settings | Security Settings | Account Policies | then choose the Kerberos Policy.
• Maximum tolerance for computer clock synchronization - This is used by Kerberos V5 as a time stamp to prevent replay attacks. Clocks on Servers and client machines need to be in close time sync. Administrators can use this to set the maximum acceptable difference between the server and client time. If the difference between the client and server time is less than the maximum time specified in this policy, then any time stamp used in a session is considered authentic.
• Set the Maximum lifetime for service ticket - This policy setting is used to determine the maximum amount of minutes that a granted session ticket can be used to access a particular service. It cannot be more minutes than the setting for the Maximum Lifetime user ticket. It also must be a minimum of 10 minutes.
• Set the Maximum lifetime for a user ticket - This policy is used to determine in hours the maximum amount of time that a client's ticket granting ticket (TGT) may be used. If the TGT expires then either existing ticket may be renewed or a new ticket must be requested.
• Set the Maximum lifetime for user ticket renewal - This policy is used to determine in days (7 by default) the amount of time that a user's ticket granting ticket (TGT) can be renewed.
Local Computer Account Policy
The local computer account policy can be access via the MMC console. Click on Start | Administrative Tools | choose the Local Security Policy.
Stored user names and passwords: A new feature in Windows Server 2003, introduced originally with Windows XP, is Stored User Names and Passwords. When a user logs onto their computer, they use their default username and password for authentication. However, there may be occasions when a different name and password is required to connect to a resource. Some examples of this are:
• You need to connect remotely to a server as administrator
• You are working from your home computer and need to connect to work resources
• You are connecting to resources in an untrusted domain
• You are connecting to Web resources using a specific Web identity.
You may also wish to save your username and password for future reuse. It is in these instances that Stored User Names and Passwords will come in handy. The benefits of using this feature are:
• User has a single sign-on experience.
• No need for user to log off and on in order to supply multiple user names and passwords for different computers.
• Users can store as many user names and passwords which can in turn be used in the future.
• User names and passwords can be stored in a user's profile to provide privacy and portability of the user names and passwords.
• Various strong passwords can be created and stored for a variety of resources.
Stored User Names and Passwords obtains its information in two ways:
• Explicit creation by the user
• Learning from the user.
When a user logs onto a remote resource, that information is kept and utilized when the users try to log onto a computer. If no information is stored, a user will supply a user name and password. The user can optionally choose to save the information and Stored User Names and Passwords collects and stores it.
When Windows XP or a member of the Windows Server 2003 family attempts to connect to a new computer on the network, it provides the current user name and password to the computer. If these credentials do not grant access, Stored User Names and Passwords will attempt to supply the necessary user name and password by examining all stored user names and passwords, starting at the most specific for the resource. No more than one particular user name and password can be stored for each individual target, because the credentials are read and applied from most to least specific.
When a user opts to save alternate credentials for a resource, this information is stored in a secure part of the user's profile and cannot be accessed by other users. If the user has a single profile for use across an enterprise environment, the stored user names and passwords will be retained wherever the user logs on to the network.
Because of the power of Stored User Names and Passwords, there are some recommended safety precautions:
• Protect your account - Remember that anyone that has access to your account also has access to the stored user name and password information attached to your profile. Log off or lock your computer when you leave, even for a short time. Make sure your screensaver is password protected. Most importantly, use strong passwords.
• Change passwords regularly - While strong passwords protect against intruders breaking the password, even the strongest password can be stolen eventually. Passwords should be changed periodically to prevent against a patient hacker working against a strong password over a period, as well as to minimize the length of time an intruder has access should a stolen password be undetected.
• Use different passwords for individual accounts - By having different passwords for different accounts, a stolen password does not substantially weaken security. Think of it this way. Would you really want the same key for your house, your car and your safety deposit box?
• Store user names and passwords only when appropriate - Obviously, extremely sensitive resources must be protected carefully. Store user names and passwords only for specific logon sessions, and choose the appropriate options in the Logon Information Properties.
Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit www.totalrecallpress.com.
- Article Word Count: 1190
- |
- Total Views: 781
- |
- permalink