Windows Server Troubleshooting - Logon

Click here to start saving with ING DIRECT!

Home | Up | Methodology | Architecture | Tools | Memory | Processor | Registry | File System | Network | Contents

Get the Book

Major Topics
Methodology
Architecture
Tools
Memory
Processor
Registry
File System
Network
Active Directory
Contents
Other Topics
Logon
FSMO
NTDSUtil
RepAdmin
Garbage Collection
RootDSE
Distinguished Name
Sites
DNS
Replication
REPLMON
Restore the AD
Log Files
Global Catalog
More Detail

eXpert Genealogy

Memory from Crucial.com


2003-2006 Team Approach Limited
All rights reserved


To troubleshoot logon problems, you need to understand all of the components involved in the logon. A successful logon requires access to all of the following servers

DNS server
A Domain Controller for your domain
A Kerberos Key Distribution Center
A Global Catalog server to resolve UPNs and universal group membership

Users logon with a UPN User Principal Name. The domain of the UPN need not match the user's object domain. In some cases, users may use an e-mail address as the UPN which does not match the user's object domain. The Global Catalog must be searched for a user object with the matching UPN to determine the logon domain, so that the logon can proceed.

Logon with UPN tyoung1234@hotmail.com Lookup UPN in AD to determine logon domain

If the domain logon fails, Windows may still allow access to the local computer. Windows caches the last few domain logon credentials. If the domain logon fails, Windows check the name/password combination against the cached credentials and allows local access if the credentials are OK. In this situation network resources are unavailable without authentication. 

For the logon to succeed, all group memberships must be determined. Universal Groups memberships are potentially the most difficult to resolve given that they can be created in any domain and have potential members from any domain. To resolve this difficulty, universal group membership is published in the Global Catalog. If a Global Catalog server is not available at logon, universal group membership cannot be determined. If no GC is available, administrators will logon without the authority of their universal group memberships. Other users will logon with cached credentials and will not have network access.

Logon with UPN Domain Controller Global Catlog lookup for universal group membership

Kerberos Authentication

Kerberos is an authentication protocol developed at MIT in project Athena. Kerberos is known in mythology as the three-headed dog guardian of Hades. Microsoft has replaced the NTChaps protocol used in Windows NT with Kerberos which is the authentication protocol for the Active Directory. Kerberos authentication is managed by KDC Key Distribution Center servers. Windows Server Domain Controllers provide the KDC service.

Before connecting to a server, a client must obtain a session ticket from a KDC domain controller. The tick is only valid for sessions between that particular client and the particular server. Another ticket is required to connection to another server.

Ticket
 from KDC  
for session with server

Clients store the Kerberos tickets in a memory area known as the ticket cache. The Resource Kit utility KERBTRAY can display and purge the ticket cache.

See the Microsoft technical paper on Kerberos at  http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp