Re: What is the difference between logging into an AD Domain versus connecting to network resource?

"JLeste" <anyone@xxxxxxxxxxxx> wrote in message
news:43DA7997.2030708@xxxxxxxxxxxxxxx
> Roger Abell [MVP] wrote:
>> That is a fairly broad question.
>>
>> One way to look at things that might help runs . . .
>>
>> To use resources you are alway authenticated first,
>> which is the process of verifying who you are, that
>> you are "allowed" to use the account you are trying
>> to use. Following this, there is then an authorization
>> check to see if this "you" (the authenticated account)
>> is allowed to do what it is trying to do.
>>
>> When one has logged into a domain member with a
>> domain account, the authentication took place at a
>> domain controller. In this case the "you" is an account
>> that all domain members recognize and all will trust (as
>> they trust the decisions of the domain controllers).
>> When one has logged into a domain member with a local
>> account, or to an non-domain member (whether with a
>> local account or a domain account if in a non-trusted
>> domain) the "you" is something about which machines
>> in the domain know nothing and the authorization was
>> by an authority in which they place no trust. In other
>> words, that "you" is nobody to them.
>>
>> So, when the current login is with recognized credentials
>> the accessed machine only needs to do the authorization
>> for the attempted access. However, if the "you" is nobody
>> to the accessed machine then it needs to start at square
>> one and first find out who is attempting access (and so it
>> issues an authentication prompting).
>>
> Thanks for such a coherent exlanation. And somewhere in my head I think I
> knew this.
>
> Jan

You're welcome Jan.
Just tuck away in the head "athentication + authorization"
Everything flows from remembering these are two, and different.

Roger


.

Relevant Pages

  • Re: What is the difference between logging into an AD Domain versus connecting to network resource?
    ... there is then an authorization ... check to see if this "you" (the authenticated account) ... When one has logged into a domain member with a local ... issues an authentication prompting). ...
    (microsoft.public.windows.server.security)
  • asp.net vulnerability
    ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: application pool custom identity
    ... Kerberos becomes a possibility when the web server is in a Domain, ... The problem happens when the browser/server selects Kerberos authentication, ... LocalSystem credentials will work for Kerberos; custom AppPool Identity ... Authorization. ...
    (microsoft.public.inetserver.iis)
  • Re: Cant make a domain user the "anonymous access" user
    ... When dealing with authentication issues it is VERY important to ... Some of the things you claim is not consistent with a default IIS ... If you use a browser that cannot do NTLM, by definition, a 401.2 error is ... user account that works and your domain account that does not. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos OpenLDAP Frontend
    ... Jonathan Javier Cordoba Gonzalez wrote: ... but then you are mixing the authentication with the authorization. ... A KDC with passwords and LDAP ...
    (comp.protocols.kerberos)