In the previous article, we will introduce the entire process of Kerberos authentication. In the allowed environment, Kerberos is the preferred authentication method. Before that, Windows primarily adopted another authentication protocol-NTLM (NT Lan Manager ). NTLM is used in Windows NT and Windows 2000 Server (or later) workgroup environments (Kerberos is used in domain mode ). In an AD domain environment, if you need to authenticate the Windows NT System, you must also use NTLM. Compared with Kerberos, the NTLM-based authentication process is much simpler. NTLM adopts a Challenge/Response message exchange mode. The picture on the right shows the entire NTLM authentication process in Windows2000.
Step 1
You can log on to the client host by entering the Windows account and password. Before logon, the client caches the hash value of the entered password, and the original password is discarded ("the original password cannot be cached under any circumstances", which is a basic security rule ). If a user successfully logs on to the Windows client tries to access server resources, he/she must send a request to the other party. The request contains a user name in plaintext.
Step 2
After receiving the request, the server generates a 16-bit random number. This random number is called Challenge or Nonce. Before the server sends the Challenge to the client, the Challenge is saved first. Challenge is sent in plaintext.
Step 3
After receiving the Challenge sent back from the server, the client encrypts the Challenge with the password hash value saved in step 1, and then sends the encrypted Challenge to the server.
Step 4
After the server receives the encrypted Challenge sent back from the client, it will send a verification request to the DC (Domain) for the client. The request mainly includes the client user name, Challenge encrypted by client password hash, and original Challenge.
Step 5 and 6
DC obtains the password hash value of the account based on the user name and encrypts the original Challenge. If the encrypted Challenge is the same as the Challenge sent by the server, it means that the user has the correct password and the verification is successful. Otherwise, the verification fails. DC sends the verification result to the server and finally sends the feedback to the client.
How does Windows security authentication work? [Kerberos] How does Windows security authentication work? [NTLM]