6 Appendix A: Product Behavior

  • Article

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

Windows Client

  • Windows NT operating system

  • Windows 2000 Professional operating system

  • Windows XP operating system

  • Windows Vista operating system

  • Windows 7 operating system

  • Windows 8 operating system

  • Windows 8.1 operating system

  • Windows 10 operating system

  • Windows 11 operating system

Windows Server

  • Windows 2000 Server operating system

  • Windows Server 2003 operating system

  • Windows Server 2008 operating system

  • Windows Server 2008 R2 operating system

  • Windows Server 2012 operating system

  • Windows Server 2012 R2 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system 

  • Windows Server 2025 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.1: Although the Kerberos protocol is preferred for interactive logon, the NTLM protocol is always used for interactive logon when the domain controller is running Windows NT Server 4.0 operating system.

<2> Section 2.2.4: The following list details differences in PAC validation in Windows.

  • Windows 2000 Server and Windows XP do not validate the PAC when the application server is running under the local system context or has SeTcbPrivilege, as specified in [MS-LSAD] section 3.1.1.2.1. Otherwise, Windows 2000 Server and Windows XP use Kerberos PAC validation.

  • Windows Server 2003 does not validate the PAC when the application server is running under the local system context, the network service context or has SeTcbPrivilege. Otherwise, Windows Server 2003 uses Kerberos PAC validation.

  • Windows Server 2003 operating system with Service Pack 1 (SP1) and later Windows operating systems do not validate the PAC when the application server is under the local system context, the network service context, the local service context, or has SeTcbPrivilege privilege. Otherwise, Windows Server 2003 with SP1 and future service packs or later Windows operating systems use Kerberos PAC validation.

  • Only Windows 2000 Server, Windows XP, and Windows Server 2003 validate the PAC by default for services. Windows still validates the PAC for processes that are not running as services. PAC validation can be enabled when the application server is not running in the context of local system, network service, or local service; or when it does not have SeTcbPrivilege, as specified in [MS-LSAD] section 3.1.1.2.1.

<3> Section 3.1.1: NTLMServerDomainBlocked is not supported on Windows NT, Windows 2000 Server, Windows Server 2003, or Windows Server 2008. Where supported, the default is FALSE.

<4> Section 3.1.1: These configuration values are not supported on Windows 2000 Server, Windows Server 2003, or Windows Server 2008. Where they are supported, the default value for AccountDCBlocked and ResourceDCBlocked is FALSE. The default value of DCBlockExceptions, where supported, is NULL.

<5> Section 3.1.1: In Windows 2000 Server, AllowComputerLogon is provided by the application to the NTLM server. This value can influence various protocol-defined flags. For example, if AllowComputerLogon is not set, then the K bit of LogonInformation.LogonNetwork.Identity.ParameterControl (section 3.1.5.2) is not set.

<6> Section 3.1.5: Windows does not use the NetrLogonSamLogonEx method. Windows uses NetrLogonSamLogonWithFlags (Opnum 45).

<7> Section 3.1.5: NTLMServerDomainBlocked is not supported on Windows NT, Windows 2000 Server, Windows Server 2003, or Windows Server 2008.

<8> Section 3.1.5: ResourceDCBlocked is not supported on Windows 2000 Server, Windows Server 2003, or Windows Server 2008.

<9> Section 3.1.5: AccountDCBlocked is not supported on Windows 2000 Server, Windows Server 2003, or Windows Server 2008.

<10> Section 3.1.5: AllowedToAuthenticateTo is not supported by Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 DCs.

<11> Section 3.1.5: PROTECTED_USERS is not supported by Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.

<12> Section 3.1.5.1: msDS-UserAllowedToAuthenticateFrom is not supported by Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.

<13> Section 3.1.5.1: msDS-ServiceAllowedToAuthenticateFrom is not supported by Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.

<14> Section 3.1.5.1: Windows does not use the NetrLogonSamLogonEx method. Windows uses NetrLogonSamLogonWithFlags (Opnum 45).

<15> Section 3.1.5.1: In Windows NT 4.0 operating system and Windows 2000 Server, the ValidationLevel is NETLOGON_VALIDATION_SAM_INFO2.

<16> Section 3.1.5.1: If the DC returns a failure code, Windows fails the logon attempt. Other failure codes are also returned based on the policy (for a list of error codes, see [MS-ERREF]), and all of them result in logon failure.

When a Windows XP NETLOGON client talks with a Windows 2000 Server DC, Netlogon is responsible for negotiating the minimal ValidationLevel that is supported. This negotiated ValidationLevel is used, and the corresponding validation information is returned, as specified in [MS-NRPC] section 3.5.4.5.1. Note that the NETLOGON_VALIDATION_SAM_INFO4 structure is a superset of the NETLOGON_VALIDATION_SAM_INFO2 structure.

<17> Section 3.1.5.2: msDS-UserAllowedNTLMNetworkAuthentication and msDS-ServiceAllowedNTLMNetworkAuthentication are not supported by Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.

<18> Section 3.1.5.2: Windows does not use the NetrLogonSamLogonEx method. Windows uses NetrLogonSamLogonWithFlags (Opnum 45) instead.

<19> Section 3.1.5.2: In Windows NT and Windows 2000 Server, the default ValidationLevel is NETLOGON_VALIDATION_SAM_INFO2.

<20> Section 3.1.5.2: In Windows 2000 Server, if AllowComputerLogon is not set, the K bit of LogonInformation.LogonNetwork.Identity.ParameterControl is not set. In Windows NT, NTLM servers never set the K bit.

<21> Section 3.1.5.2: In Windows NT, the DC cannot authenticate computer accounts.

<22> Section 3.1.5.2: When a Windows XP NETLOGON client talks with a Windows 2000 Server DC, Netlogon is responsible for negotiating the minimal ValidationLevel that is supported. This negotiated ValidationLevel is used, and the corresponding validation information is returned, as specified in [MS-NRPC] section 2.2.1.4.17. Note that the NETLOGON_VALIDATION_SAM_INFO4 structure is a superset of the NETLOGON_VALIDATION_SAM_INFO2 structure.

Except for Windows NT, the user information contained in the NETLOGON_VALIDATION_SAM_INFO4 structure is obtained by querying Active Directory.

<23> Section 3.1.5.2.1: On Windows 2000 operating system, subauthentication packages are installed by default.

<24> Section 3.3: The validation protocol uses the generic pass-through mechanism, as specified in [MS-NRPC] section 3.2.4.1. The Digest validation server is always a domain controller, and the Digest authentication client can be a member server of a domain or another DC in the same forest. The DC can also contact another DC in the same forest by using the DIGEST_VALIDATION_REQ (section 2.2.5.1) and DIGEST_VALIDATION_RESP (section 2.2.5.2) exchange, if the user's account is located in a different domain than that of the DC that receives the request. Windows clients do not support digest in this manner.

<25> Section 3.3.5.1: Windows 2000 Server can send other AlgType values.

<26> Section 3.3.5.2: Windows 2000 Server will not fail the DIGEST_VALIDATION_REQ request.