|
 |
Philadelphia Computer Tech Support
|
 |
|
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 -
11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -
Security Support Providers
When the system is booted, Windows 2000 Server automatically starts two Security Support Providers
(SSPs): the Kerberos SSP and the NTLM SSP. Both SSPs are started by the LSA, and both are available to
authenticate network logons and connections between clients and servers. Windows 2000 Server defaults to
using the Kerberos SSP unless the client is not capable of using Kerberos, as is the case with Windows 9x. In
that case the NTLM SSP is used. The NTLM SSP is also used for Windows 2000 Servers that are configured
as member servers or stand-alone servers and also for logging on a domain controller locally instead of on
the domain. (Figure 3.14 outlines the process used when you log on locally.) The Kerberos SSP is used first
for authentication because it is the default for Windows 2000. However, if the user is logging on locally, an
error is sent to the Security Support Provider Interface (SSPI), and then the SSPI sends the logon request to
the NTLM SSP.
Figure 3.14 This is the logon process for local logons.
Credentials Cache
The client uses an area of volatile memory called the credentials cache. This area of memory is protected by
the LSA, and it can never be put in the pagefile on the hard disk drive. When the user logs off the system,
everything in the area of memory used for the credentials cache is flushed.
The Kerberos SSP controls the credentials cache and is used to attain as well as renew tickets and keys. The
LSA is responsible for notifying the Kerberos SSP when these functions need to be performed.
The LSA also keeps a copy of the user’s hashed password in a secure portion of the registry while the user is
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 -
11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -
|
|
|
|
|
|
|
|
 | |
 |
|
|