2.1 Overview

  • Article

The following diagram illustrates the high-level interactions between the internal components of Authentication Services and other external systems, including the public key infrastructure (PKI), Authorization, and the account database.

Authentication Services interactions with internal and external components

Figure 2: Authentication Services interactions with internal and external components

Applications

Applications can be interactive applications, such as Winlogon, or distributed client and server applications, such as a web browser, web server, or a file client or a file server, or any other type of client and server application.

Account database

An account database maintains the security principals and necessary information for authentication and other purposes. In Windows, an Active Directory database maintains the domain security principals, whereas the security account manager (SAM) built-in database maintains local security principals. In Windows NT 4.0 operating system, both domain controllers (DCs) and workstations store security principal accounts in a SAM database, which uses the Windows registry for underlying persistent storage. Starting with Windows 2000 operating system, the domain security principals are stored in Active Directory instead of the registry.

The account database is the portion of the directory that maintains the accounts for the principals of the domain. In Windows NT 4.0 domains, the account database includes all the information in the Windows NT 4.0 domain. In Active Directory domains, the account database contains a subset of the entire LDAP-accessible directory that an Active Directory domain hosts.

As a final step to the authentication process, the account database verifies identities.

Public key infrastructure (PKI)

Windows PKI provides a framework of services, technology, protocols, and standards that enable the deployment and management of a strong information security system that is based on public key technology. Authentication Services interact with Windows PKI to encrypt and decrypt messages, to sign and verify messages, and to verify the identities of the client and server by using digital certificates. As shown in the preceding diagram, distributed client and server applications interact with Windows PKI for certificate enrollment, renewal, and certificate signature validation.

The SSL/TLS [MS-TLSP], PKINIT [MS-PKCA], and Kerberos Network Authentication Service [MS-SFU] protocols assume that Windows PKI functions are available as described in [MS-CERSOD].

Windows PKI relies on Microsoft CryptoAPI version 2 for secure cryptographic operations and private key management.

Authorization

After an identity is authenticated, the next step is to use the identity to authorize access to a resource. Authorization provides an interface for applications to make authorization decisions.