Deep dive: Logging on to Windows

Published Jun 07 2021 03:00 AM 20.1K Views
Microsoft

Logging on to your computer is certainly faster than it used to be, yet there are a bunch of technical steps that happen in the background. At our ITOps Talk: All things hybrid event, senior developer Steve Syfuhs took us through the details, including access to cloud resources. 
This article explains the process to just log on to Windows with an on-premises Active Directory Domain, including the fact that your password isn't sent through to the Active Directory Domain Controller server!

 

The goal of the Windows logon process

When you sit down at your computer, your aim is to get to your desktop as fast as possible, so you can start working. But we also need to validate that you've entered a correct username and password to prove you are allowed to use that device. Then, you might want access to resources on your local network, like a file share or printer. So the Windows logon process needs to take your credentials, pass them to another service to validate them, then load your desktop, in as short a time as possible. Sounds simple? Let's look at the complexity.

 

The Windows logon process in detail

 

Step 1 of the Windows logon process with winlogon.exe, logonUI.exe and lsass.exeStep 1 of the Windows logon process with winlogon.exe, logonUI.exe and lsass.exe

The Windows Logon Application handles the logon process, with LogonUI.exe displaying the correct logon box onscreen, relevant to the authentication providers that are available (for example, on this device can you choose a password, Windows Hello, a PIN number or a FIDO key?).

 

Enter your password into the logon user interface, and winlogon.exe passes it off to the local security authority subsystem service (lsass.exe). Lsass drives the entire security of your computer as you access resources.

 

The Local security authority exposes a function called LsalogonUser to winlogon over LPC (a remote procedure call protocol for processes running on the same machine).

The Windows Local Security Authority processThe Windows Local Security Authority process

 

Lsass handles Authentication (Auth) Packages and in the Windows logon process it calls the Negotiate Auth Package. You can see that in the source code that Microsoft provides as a sample to people who want to make their own credential provider for Windows.

Windows logon process NegotiateAuthPackageWindows logon process NegotiateAuthPackage

 

We're using a cached logon here, checking if there's a match with the last successful password we entered on this machine, so we're not waiting for a response for the domain controller over the network. Negotiate asks the credential providers (for example NegoEx, Kerberos and NTLM) if they support cached logins, and NTLM says yes!

 

Now NTLM checks it's  netlogon authentication cache, but none of this process is in plain text. The password you entered is hashed tens if thousands of times and is compared against the hashed passwords stored in the local cache. This hashing is important - if anyone was to get access to the cache, we don't want them to be able to unhash the password back to a plain text value.

 

If the provided password hash has a match in the cache, then we can go and load the desktop! NTLM returns a positive to lsass which passes that approval to winlogon.

 

Loading the user profile and desktopLoading the user profile and desktop

 

Then winlogon handles another bunch of processes to load your user profile, desktop, run userinit to process any login scripts etc and finally starts explorer.exe which you see as your desktop UI.

 

OK, now we've authenticated quickly, but only locally, and we're now seeing the desktop and can start working. Lsass is not finished yet though!  

 

Domain controller authentication with KerberosDomain controller authentication with Kerberos

 

The local security authority, having created a background thread, asks Negotiate for a credential provider that supports online logon and gets a yes from Kerberos. This protocol is used to communicate with your domain controller running Active Directory. Even here, we're not sending the entered password to the domain controller, we're having a little two-way conversation similar to placing a collect phone call.  

 

We send an AS_REQ authentication service request to authenticate as a user:

Windows: Hi, I'm Steve, please give me a ticket granting ticket!

Domain Controller: No, prove that you are Steve.

W: OK here's a hash of my current password that also included the current time stamp.

DC: OK if I also use the current timestamp that matches the hash I have of your password. Here's your Kerberos ticket granting ticket (krbtgt). Think of it like your theme park pass that says I trust you've paid your entry free and you can now show it to all the different rides and you'll be able to go on them.

 

This is a successful authentication that we match a valid user & password in Active Directory!

 

Windows: Hey, here's my tgt, can I access this local machine host?

DC: Sure! Here's a ticket granting access to the local machine. 

W: Cool! I'll hold that in memory for accessing any other network resources on my local network.

 

Windows can decrypt that ticket, using your password, to gain access to a bunch of information inside the ticket - like your userprofile path, group membership etc. It also creates an NT token, which is your identity represented in Windows for applications etc to use.

 

Conclusion

The next time it feels like your logon is a little slow, remember all the things it's doing in the background! In a future blog post, we'll go through Steve's explanation of this process in hybrid environments, where Azure Active Directory also comes into play.

To watch the full video, visit OPS108 Windows authentication internals in a hybrid world 

Special thanks to Steve Syfuhs for sharing his expertise with us! 

 

Learn more

 

6 Comments

Thank you @Sonia Cuff for Sharing with the Community :cool:

Regular Visitor

This is good, however, I have a situation where the logon fails (4625  Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xC000015B
Sub Status: 0x0

Yet, 4768 and 4769 for that logon attempt return 0x0!

Result Code: 0x0
If TGT issue fails then you will see Failure event with Result Code field not equal to “0x0”

 

Can you please explain what is going on?

 

Occasional Visitor

This is fantastic. Any chance of a deep dive on Azure AD logins?

Occasional Contributor

+1 for a deep dive of how this differs for AAD-only joined devices.

Microsoft

@Ihor43 You can have a 4625 after a successful authentication. We actually need to authenticate the user before evaluating the logon type privilege. So you type your U/P (username/password) to open your session, you get a TGT because you typed the correct U/P, get a service ticket for HOST/<the system you are logging into> which is also successful because your TGT is valid (assuming you don't have Kerberos Authentication Policies interfering here). But then when the system read that ticket and evaluate the privilege, it comes to the conclusion that based on your identity and your group membership, you don’t have the right level of privilege. Also note that in that case the 4625 is a local event on the system you are trying to access whereas the 4768 and 4769 will be only on the domain controller serving the requests.

Similar things would happen if you try to access a file share on which you have a deny ACE. You would successfully obtain a ticket for a file server, present it to the file server, even get a 4624 on the file server (because this time there’s no issue with system privilege, assuming you have the privilege "Access this computer from the network") BUT then get an access denied message on file access (which by the way you can configure the text of using the Access Denied Assistance feature). 

New Contributor

What about Credentials Guard?

%3CLINGO-SUB%20id%3D%22lingo-sub-2420705%22%20slang%3D%22en-US%22%3EDeep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2420705%22%20slang%3D%22en-US%22%3E%3CP%3ELogging%20on%20to%20your%20computer%20is%20certainly%20faster%20than%20it%20used%20to%20be%2C%20yet%20there%20are%20a%20bunch%20of%20technical%20steps%20that%20happen%20in%20the%20background.%20At%20our%20ITOps%20Talk%3A%20All%20things%20hybrid%20event%2C%20senior%20developer%20Steve%20Syfuhs%20took%20us%20through%20the%20details%2C%20including%20access%20to%20cloud%20resources.%26nbsp%3B%3CBR%20%2F%3EThis%20article%20explains%20the%20process%20to%20just%20log%20on%20to%20Windows%20with%20an%20on-premises%20Active%20Directory%20Domain%2C%20including%20the%20fact%20that%20your%20password%20isn't%20sent%20through%20to%20the%20Active%20Directory%20Domain%20Controller%20server!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%20id%3D%22toc-hId--441194535%22%3EThe%20goal%20of%20the%20Windows%20logon%20process%3C%2FH2%3E%0A%3CP%3EWhen%20you%20sit%20down%20at%20your%20computer%2C%20your%20aim%20is%20to%20get%20to%20your%20desktop%20as%20fast%20as%20possible%2C%20so%20you%20can%20start%20working.%20But%20we%20also%20need%20to%20validate%20that%20you've%20entered%20a%20correct%20username%20and%20password%20to%20prove%20you%20are%20allowed%20to%20use%20that%20device.%20Then%2C%20you%20might%20want%20access%20to%20resources%20on%20your%20local%20network%2C%20like%20a%20file%20share%20or%20printer.%20So%20the%26nbsp%3BWindows%20logon%20process%20needs%20to%20take%20your%20credentials%2C%20pass%20them%20to%20another%20service%20to%20validate%20them%2C%20then%20load%20your%20desktop%2C%20in%20as%20short%20a%20time%20as%20possible.%20Sounds%20simple%3F%20Let's%20look%20at%20the%20complexity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%20id%3D%22toc-hId-2046318298%22%3EThe%20Windows%20logon%20process%20in%20detail%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221-WIndows-LogonUI.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286734iFDD26B0C6D18B79D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221-WIndows-LogonUI.jpg%22%20alt%3D%22Step%201%20of%20the%20Windows%20logon%20process%20with%20winlogon.exe%2C%20logonUI.exe%20and%20lsass.exe%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EStep%201%20of%20the%20Windows%20logon%20process%20with%20winlogon.exe%2C%20logonUI.exe%20and%20lsass.exe%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20Windows%20Logon%20Application%20handles%20the%20logon%20process%2C%20with%20LogonUI.exe%20displaying%20the%20correct%20logon%20box%20onscreen%2C%20relevant%20to%20the%20authentication%20providers%20that%20are%20available%20(for%20example%2C%20on%20this%20device%20can%20you%20choose%20a%20password%2C%20Windows%20Hello%2C%20a%20PIN%20number%20or%20a%20FIDO%20key%3F).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnter%20your%20password%20into%20the%20logon%20user%20interface%2C%20and%20winlogon.exe%20passes%20it%20off%20to%20the%20local%20security%20authority%20subsystem%20service%20(lsass.exe).%20Lsass%20drives%20the%20entire%20security%20of%20your%20computer%20as%20you%20access%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Local%20security%20authority%20exposes%20a%20function%20called%20LsalogonUser%20to%20winlogon%20over%20LPC%20(a%20remote%20procedure%20call%20protocol%20for%20processes%20running%20on%20the%20same%20machine).%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222-Windows-Local-Security-Authority.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286740i57B13285480E10EE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222-Windows-Local-Security-Authority.jpg%22%20alt%3D%22The%20Windows%20Local%20Security%20Authority%20process%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EThe%20Windows%20Local%20Security%20Authority%20process%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELsass%20handles%20Authentication%20(Auth)%20Packages%20and%20in%20the%20Windows%20logon%20process%20it%20calls%20the%20Negotiate%20Auth%20Package.%20You%20can%20see%20that%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FWindows-classic-samples%2Fblob%2Fmaster%2FSamples%2FCredentialProvider%2Fcpp%2FCSampleCredential.cpp%3FWT.mc_id%3Dmodinfra-30798-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esource%20code%20that%20Microsoft%20provides%20as%20a%20sample%3C%2FA%3E%20to%20people%20who%20want%20to%20make%20their%20own%20credential%20provider%20for%20Windows.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Negotiate-Auth-Package.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286735i910E001FFB8429B4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Negotiate-Auth-Package.jpg%22%20alt%3D%22Windows%20logon%20process%20NegotiateAuthPackage%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWindows%20logon%20process%20NegotiateAuthPackage%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20using%20a%20cached%20logon%20here%2C%20checking%20if%20there's%20a%20match%20with%20the%20last%20successful%20password%20we%20entered%20on%20this%20machine%2C%20so%20we're%20not%20waiting%20for%20a%20response%20for%20the%20domain%20controller%20over%20the%20network.%20Negotiate%20asks%20the%20credential%20providers%20(for%20example%20NegoEx%2C%20Kerberos%20and%20NTLM)%20if%20they%20support%20cached%20logins%2C%20and%20NTLM%20says%20yes!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20NTLM%20checks%20it's%26nbsp%3B%20netlogon%26nbsp%3Bauthentication%20cache%2C%20but%20none%20of%20this%20process%20is%20in%20plain%20text.%20The%20password%20you%20entered%20is%20hashed%20tens%20if%20thousands%20of%20times%20and%20is%20compared%20against%20the%20hashed%20passwords%20stored%20in%20the%20local%20cache.%20This%20hashing%20is%20important%20-%20if%20anyone%20was%20to%20get%20access%20to%20the%20cache%2C%20we%20don't%20want%20them%20to%20be%20able%20to%20unhash%20the%20password%20back%20to%20a%20plain%20text%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20provided%20password%20hash%20has%20a%20match%20in%20the%20cache%2C%20then%20we%20can%20go%20and%20load%20the%20desktop!%20NTLM%20returns%20a%20positive%20to%20lsass%20which%20passes%20that%20approval%20to%20winlogon.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223-Windows-LogonUI-Pt2.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286741i022C03CD628CF97F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%223-Windows-LogonUI-Pt2.jpg%22%20alt%3D%22Loading%20the%20user%20profile%20and%20desktop%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ELoading%20the%20user%20profile%20and%20desktop%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20winlogon%20handles%20another%20bunch%20of%20processes%20to%20load%20your%20user%20profile%2C%20desktop%2C%20run%20userinit%20to%20process%20any%20login%20scripts%20etc%20and%20finally%20starts%20explorer.exe%20which%20you%20see%20as%20your%20desktop%20UI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOK%2C%20now%20we've%20authenticated%20quickly%2C%20but%20only%20locally%2C%20and%20we're%20now%20seeing%20the%20desktop%20and%20can%20start%20working.%20Lsass%20is%20not%20finished%20yet%20though!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%224-Windows-LogonUI-Pt2.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286742iE169DE80370FBCAE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%224-Windows-LogonUI-Pt2.jpg%22%20alt%3D%22Domain%20controller%20authentication%20with%20Kerberos%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EDomain%20controller%20authentication%20with%20Kerberos%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20local%20security%20authority%2C%20having%20created%20a%20background%20thread%2C%20asks%20Negotiate%20for%20a%20credential%20provider%20that%20supports%20online%20logon%20and%20gets%20a%20yes%20from%20Kerberos.%20This%20protocol%20is%20used%20to%20communicate%20with%20your%20domain%20controller%20running%20Active%20Directory.%20Even%20here%2C%20we're%20not%20sending%20the%20entered%20password%20to%20the%20domain%20controller%2C%20we're%20having%20a%20little%20two-way%20conversation%20similar%20to%20%3CA%20href%3D%22https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCollect_call%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eplacing%20a%20collect%20phone%20call%3C%2FA%3E.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20send%20an%20AS_REQ%20authentication%20service%20request%20to%20authenticate%20as%20a%20user%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWindows%3A%3C%2FSTRONG%3E%20Hi%2C%20I'm%20Steve%2C%20please%20give%20me%20a%20ticket%20granting%20ticket!%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDomain%20Controller%3A%3C%2FSTRONG%3E%20No%2C%20prove%20that%20you%20are%20Steve.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EW%3A%3C%2FSTRONG%3E%20OK%20here's%20a%20hash%20of%20my%20current%20password%20that%20also%20included%20the%20current%20time%20stamp.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDC%3A%3C%2FSTRONG%3E%20OK%20if%20I%20also%20use%20the%20current%20timestamp%20that%20matches%20the%20hash%20I%20have%20of%20your%20password.%20Here's%20your%20Kerberos%20ticket%20granting%20ticket%20(krbtgt).%20Think%20of%20it%20like%20your%20theme%20park%20pass%20that%20says%20I%20trust%20you've%20paid%20your%20entry%20free%20and%20you%20can%20now%20show%20it%20to%20all%20the%20different%20rides%20and%20you'll%20be%20able%20to%20go%20on%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20successful%20authentication%20that%20we%20match%20a%20valid%20user%20%26amp%3B%20password%20in%20Active%20Directory!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWindows%3A%3C%2FSTRONG%3E%20Hey%2C%20here's%20my%20tgt%2C%20can%20I%20access%20this%20local%20machine%20host%3F%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDC%3A%3C%2FSTRONG%3E%20Sure!%20Here's%20a%20ticket%20granting%20access%20to%20the%20local%20machine.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EW%3A%3C%2FSTRONG%3E%20Cool!%20I'll%20hold%20that%20in%20memory%20for%20accessing%20any%20other%20network%20resources%20on%20my%20local%20network.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%20can%20decrypt%20that%20ticket%2C%20using%20your%20password%2C%20to%20gain%20access%20to%20a%20bunch%20of%20information%20inside%20the%20ticket%20-%20like%20your%20userprofile%20path%2C%20group%20membership%20etc.%20It%20also%20creates%20an%20NT%20token%2C%20which%20is%20your%20identity%20represented%20in%20Windows%20for%20applications%20etc%20to%20use.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%20id%3D%22toc-hId-238863835%22%3EConclusion%3C%2FH2%3E%0A%3CP%3EThe%20next%20time%20it%20feels%20like%20your%20logon%20is%20a%20little%20slow%2C%20remember%20all%20the%20things%20it's%20doing%20in%20the%20background!%20In%20a%20future%20blog%20post%2C%20we'll%20go%20through%20Steve's%20explanation%20of%20this%20process%20in%20hybrid%20environments%2C%20where%20Azure%20Active%20Directory%20also%20comes%20into%20play.%3C%2FP%3E%0A%3CP%3ETo%20watch%20the%20full%20video%2C%20visit%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fops108-windows-authentication-internals-in-a-hybrid-world%2Fba-p%2F2109557%3FWT.mc_id%3Dmodinfra-30798-socuff%22%20target%3D%22_self%22%3EOPS108%20Windows%20authentication%20internals%20in%20a%20hybrid%20world%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpecial%20thanks%20to%20%3CA%20href%3D%22https%3A%2F%2Fsyfuhs.net%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ESteve%20Syfuhs%3C%2FA%3E%20for%20sharing%20his%20expertise%20with%20us!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%20id%3D%22toc-hId--1568590628%22%3ELearn%20more%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fsecurity%2Fwindows-authentication%2Fcredentials-processes-in-windows-authentication%3FWT.mc_id%3Dmodinfra-30798-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECredentials%20Processes%20in%20Windows%20Authentication%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fidentity%2Fad-ds%2Fget-started%2Fvirtual-dc%2Factive-directory-domain-services-overview%3FWT.mc_id%3Dmodinfra-30798-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EActive%20Directory%20Domain%20Services%20Overview%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EWindows%20Authentication%20in%20a%20Hybrid%20World%3CP%3E%26nbsp%3B%3C%2FP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FOPS108-Windows-Authentication-in-a-Hybrid-World%2Fplayer%3FWT.mc_id%3Dmodinfra-30798-socuff%22%20width%3D%22640%22%20height%3D%22360%22%20frameborder%3D%220%22%20allowfullscreen%3D%22allowfullscreen%22%20title%3D%22OPS108%20Windows%20Authentication%20in%20a%20Hybrid%20World%22%3E%3C%2FIFRAME%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2420705%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20happens%20in%20the%20background%20when%20you%20log%20into%20Windows%3F%20Steve%20Syfuhs%20explains!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SUR20_Book3_Contextual_0209_RGB.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F286731iA95102E0C407C4F9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SUR20_Book3_Contextual_0209_RGB.jpg%22%20alt%3D%22SUR20_Book3_Contextual_0209_RGB.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2420705%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESonia%20Cuff%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2425499%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2425499%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170596%22%20target%3D%22_blank%22%3E%40Sonia%20Cuff%3C%2FA%3E%26nbsp%3Bfor%20Sharing%20with%20the%20Community%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2493771%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2493771%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20good%2C%20however%2C%20I%20have%20a%20situation%20where%20the%20logon%20fails%20(4625%26nbsp%3B%26nbsp%3BFailure%20Reason%3A%20The%20user%20has%20not%20been%20granted%20the%20requested%20logon%20type%20at%20this%20machine.%3CBR%20%2F%3EStatus%3A%200xC000015B%3CBR%20%2F%3ESub%20Status%3A%200x0%3C%2FP%3E%3CP%3EYet%2C%204768%20and%204769%20for%20that%20logon%20attempt%20return%200x0!%3C%2FP%3E%3CP%3EResult%20Code%3A%200x0%3CBR%20%2F%3EIf%20TGT%20issue%20fails%20then%20you%20will%20see%20Failure%20event%20with%20Result%20Code%20field%20not%20equal%20to%20%E2%80%9C0x0%E2%80%9D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20explain%20what%20is%20going%20on%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597408%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597408%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20fantastic.%20Any%20chance%20of%20a%20deep%20dive%20on%20Azure%20AD%20logins%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597609%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597609%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%2B1%3C%2FSTRONG%3E%26nbsp%3Bfor%20a%20deep%20dive%20of%20how%20this%20differs%20for%20AAD-only%20joined%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2647436%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2647436%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1034259%22%20target%3D%22_blank%22%3E%40Ihor43%3C%2FA%3E%26nbsp%3BYou%20can%20have%20a%204625%20after%20a%20successful%20authentication.%20We%20actually%20need%20to%20authenticate%20the%20user%20before%20evaluating%20the%20logon%20type%20privilege.%20So%20you%20type%20your%20U%2FP%20(username%2Fpassword)%20to%20open%20your%20session%2C%20you%20get%20a%20TGT%20because%20you%20typed%20the%20correct%20U%2FP%2C%20get%20a%20service%20ticket%20for%20HOST%2F%3CTHE%20system%3D%22%22%20you%3D%22%22%20are%3D%22%22%20logging%3D%22%22%20into%3D%22%22%3E%20which%20is%20also%20successful%20because%20your%20TGT%20is%20valid%20(assuming%20you%20don't%20have%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fcredentials-protection-and-management%2Fauthentication-policies-and-authentication-policy-silos%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EKerberos%20Authentication%20Policies%3C%2FA%3E%20interfering%20here).%20But%20then%20when%20the%20system%20read%20that%20ticket%20and%20evaluate%20the%20privilege%2C%20it%20comes%20to%20the%20conclusion%20that%20based%20on%20your%20identity%20and%20your%20group%20membership%2C%20you%20don%E2%80%99t%20have%20the%20right%20level%20of%20privilege.%20Also%20note%20that%20in%20that%20case%20the%204625%20is%20a%20local%20event%20on%20the%20system%20you%20are%20trying%20to%20access%20whereas%20the%204768%20and%204769%20will%20be%20only%20on%20the%20domain%20controller%20serving%20the%20requests.%3CBR%20%2F%3E%3CBR%20%2F%3ESimilar%20things%20would%20happen%20if%20you%20try%20to%20access%20a%20file%20share%20on%20which%20you%20have%20a%20deny%20ACE.%20You%20would%20successfully%20obtain%20a%20ticket%20for%20a%20file%20server%2C%20present%20it%20to%20the%20file%20server%2C%20even%20get%20a%204624%20on%20the%20file%20server%20(because%20this%20time%20there%E2%80%99s%20no%20issue%20with%20system%20privilege%2C%20assuming%20you%20have%20the%20privilege%20%22Access%20this%20computer%20from%20the%20network%22)%20%3CSTRONG%3EBUT%3C%2FSTRONG%3E%20then%20get%20an%20access%20denied%20message%20on%20file%20access%20(which%20by%20the%20way%20you%20can%20configure%20the%20text%20of%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsolution-guides%2Fscenario--access-denied-assistance%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAccess%20Denied%20Assistance%20feature%3C%2FA%3E).%26nbsp%3B%3C%2FTHE%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2656793%22%20slang%3D%22en-US%22%3ERe%3A%20Deep%20dive%3A%20Logging%20on%20to%20Windows%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2656793%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20about%20Credentials%20Guard%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jun 07 2021 06:10 AM
Updated by: