Re: Why Does WinNT Re-Authenticate Users?

From: eri (eric[no_spam)
Date: 01/22/02


From: eric[no_spam]@pmcipa.com
Date: Tue, 22 Jan 2002 16:32:24 GMT


>Having done it, subsequent access to files on \\SERVER don't
>usually require re-authentication. (In practice, the file server
>service will drop the session after a while.)
>

This is bit unclear with me. Some parts of Microsoft documentation say
that subsequent accesses to the same resource do not require
re-authentication because the original access returned a handle to the
object. Subsequent accesses to the same object just re-use the same
handle. Fine, but...

>As a final note, the logon session on \\SERVER does not get a
>copy of the user's network credentials, so isn't able to make
>further hops.
>

And this is where I lose it. If the non-interactive logon session does
not require credentials, why do we call it a "logon session?" Also,
why would we refer to it as "authentication," since authentication is
all about credentials?

Finally, the whole question that brings this up relates to security in
our Internet DMZ. Our organization has two domains--a master domain at
the corporate location and a resource domain (one-way trust) to a
small domain that is colocated at our ISP, behind a PIX firewall that
we own and administer.

The one-way trust makes it easy for our web team to administer the
machines in the DMZ domain. However, I began to wonder if, whenever
they connected to resources in the DMZ domain, their credentials were
being presented in the DMZ domain. From my reading, the answer appears
to be yes, although the DMZ domain simply passes them back to a DC in
the trusted domain for authentication. The point is that the
credentials do appear to traverse the Ethernet in the DMZ, which I'm
afraid exposes them to interception and cracking by someone who has
managed to commandeer one of the DMZ computers. Having done so, they
could obtain credentials for the corporate domain, which would qualify
as a Bad Thing. (Originally, I thought that the web users would simply
present an access token against the resource in the DMZ domain. The
server in the DMZ would see that the token was authenticated by a
trusted domain and would not re-authenticate the user. That does not
appear to be the case.)

This is why I have to get an absolutely authroitative answer on the
question about re-authentication and the presentation of credentials.