Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- From: JLeste <anyone@xxxxxxxxxxxx>
- Date: Fri, 27 Jan 2006 11:50:47 -0800
Roger Abell [MVP] wrote:
Thanks for such a coherent exlanation. And somewhere in my head I think I knew this.That is a fairly broad question.
One way to look at things that might help runs . . .
To use resources you are alway authenticated first, which is the process of verifying who you are, that you are "allowed" to use the account you are trying to use. Following this, there is then an authorization check to see if this "you" (the authenticated account) is allowed to do what it is trying to do.
When one has logged into a domain member with a domain account, the authentication took place at a domain controller. In this case the "you" is an account that all domain members recognize and all will trust (as they trust the decisions of the domain controllers). When one has logged into a domain member with a local account, or to an non-domain member (whether with a local account or a domain account if in a non-trusted domain) the "you" is something about which machines in the domain know nothing and the authorization was by an authority in which they place no trust. In other words, that "you" is nobody to them.
So, when the current login is with recognized credentials the accessed machine only needs to do the authorization for the attempted access. However, if the "you" is nobody to the accessed machine then it needs to start at square one and first find out who is attempting access (and so it issues an authentication prompting).
Jan .
- Follow-Ups:
- References:
- Prev by Date: Re: IAS Server and Cisco VPN Concentrator
- Next by Date: event log errors
- Previous by thread: Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- Next by thread: Re: What is the difference between logging into an AD Domain versus connecting to network resource?
- Index(es):
Relevant Pages
|
