In this article

Applies to: home windows Server 2022, home windows Server 2019, windows Server 2016

This referral topic for the that professional explains how home windows authentication processes credentials.

You are watching: Which component of windows prompts the user for credentials

Windows credentials administration is the process by i beg your pardon the operating device receives the credentials from the company or user and secures that information for future presentation to the authenticating target. In the case of a domain-joined computer, the authenticating target is the domain controller. The credentials used in authentication room digital records that combine the user"s identification to some type of proof of authenticity, such as a certificate, a password, or a PIN.

By default, home windows credentials are validated against the protection Accounts Manager (SAM) database ~ above the regional computer, or against energetic Directory ~ above a domain-joined computer, with the Winlogon service. Credentials are collected through user entry on the logon user user interface or programmatically via the application programming interface (API) to be presented to the authenticating target.

Local security info is save on computer in the registry under HKEY_LOCAL_MACHINE\SECURITY. Save information contains policy settings, default security values, and account information, such together cached logon credentials. A copy the the SAM database is also stored here, although that is write-protected.

The complying with diagram mirrors the contents that room required and also the paths that credentials take with the device to authenticate the user or process for a successful logon.


The following table describes each component the manages credentials in the authentication process at the allude of logon.

Authentication contents for every systems

User logonWinlogon.exe is the executable document responsible for controlling secure user interactions. The Winlogon service initiates the logon process for windows operating systems by pass the credentials gathered by user activity on the secure desktop (Logon UI) to the neighborhood Security authority (LSA) v Secur32.dll.
Application logonApplication or business logons that carry out not call for interactive logon. Many processes initiated through the user run in user setting by utilizing Secur32.dll whereas procedures initiated in ~ startup, such as services, run in kernel mode by using Ksecdd.sys.

For an ext information about user mode and kernel mode, view Applications and User setting or Services and also Kernel setting in this topic.

Secur32.dllThe lot of authentication suppliers that form the structure of the authentication process.
Lsasrv.dllThe LSA Server service, i beg your pardon both enforces protection policies and acts together the protection package manager because that the LSA. The LSA contains the Negotiate function, i beg your pardon selects one of two people the NTLM or Kerberos protocol after determining which protocol is to be successful.
Security support ProvidersA collection of companies that can individually invoke one or an ext authentication protocols. The default collection of service providers can change with each variation of the home windows operating system, and also custom providers can be written.
Netlogon.dllThe services that the net Logon service performs are as follows:- Maintains the computer"s secure channel (not to be puzzled with Schannel) come a domain controller.- passes the user"s credentials v a for sure channel come the domain controller and returns the domain defense identifiers (SIDs) and user civil liberties for the user.- posting service resource records in the Domain Name device (DNS) and uses DNS to settle names to the net Protocol (IP) addresses the domain controllers.- Implements the replication protocol based on remote procedure call (RPC) because that synchronizing main domain controllers (PDCs) and backup domain controllers (BDCs).
Samsrv.dllThe security Accounts Manager (SAM), i m sorry stores regional security accounts, enforces locally stored policies and supports APIs.
RegistryThe Registry contains a copy the the SAM database, regional security plan settings, default defense values, and also account information that is only obtainable to the system.
This topic has the following sections:

Credential input for user logon

In home windows Server 2008 and also Windows Vista, the Graphical Identification and also Authentication (GINA) design was changed with a credential provider model, which do it feasible to enumerate various logon varieties through the usage of logon tiles. Both models are described below.

Graphical Identification and Authentication architecture

The Graphical Identification and also Authentication (GINA) architecture applies to the windows Server 2003, windows 2000 Server, home windows XP, and Windows 2000 professional operating systems. In these systems, every interaction logon session creates a separate circumstances of the Winlogon service. The GINA style is loaded into the procedure space offered by Winlogon, receives and processes the credentials, and makes the calls to the authentication interfaces v LSALogonUser.

The instances of Winlogon because that an interactive logon run in conference 0. Session 0 hosts device services and other vital processes, including the local Security government (LSA) process.

The adhering to diagram shows the credential process for windows Server 2003, windows 2000 Server, windows XP, and home windows 2000 Professional.


Credential provider architecture

The credential provider architecture uses to those versions designated in the Applies To list at the start of this topic. In this systems, the credentials entry architecture changed to an extensible architecture by utilizing credential providers. These companies are stood for by the various logon tiles top top the secure desktop that permit any variety of logon scenarios - various accounts because that the same user and also different authentication methods, such together password, smart card, and biometrics.

With the credential provider architecture, Winlogon constantly starts Logon UI after the receives a secure fist sequence event. Logon UI queries every credential provider because that the number of different credential types the provider is configured to enumerate. Credential providers have actually the alternative of specifying among these tiles as the default. After every providers have actually enumerated their tiles, Logon UI displays them come the user. The user interacts through a brick to supply their credentials. Logon UI submits this credentials because that authentication.

Credential service providers are no enforcement mechanisms. Castle are used to gather and serialize credentials. The regional Security Authority and also authentication packages obtrude security.

Credential companies are registered top top the computer and also are responsible because that the following:

Describing the credential information forced for authentication.

Handling communication and also logic with exterior authentication authorities.

Packaging credentials for interactive and network logon.

Packaging credentials for interactive and also network logon has the process of serialization. Through serializing credentials lot of logon tiles can be displayed on the logon UI. Therefore, your company can manage the logon display such together users, target solution for logon, pre-logon access to the network and also workstation lock/unlock plans - with the use of customized credential providers. Lot of credential providers have the right to co-exist on the same computer.

Single sign-on (SSO) providers deserve to be occurred as a conventional credential provider or as a Pre-Logon-Access Provider.

Each version of Windows includes one default credential provider and also one default Pre-Logon-Access Provider (PLAP), also known as the SSO provider. The SSO provider permits individuals to make a link to a network prior to logging on to the neighborhood computer. As soon as this provider is implemented, the provider does no enumerate tiles top top Logon UI.

A SSO provider is intended to be offered in the complying with scenarios:

Network authentication and computer logon are handled by various credential providers. Variations to this script include:

A user has actually the choice of connecting to a network, such as connecting come a virtual private network (VPN), before logging on come the computer but is not compelled to make this connection.

Network authentication is forced to retrieve information used throughout interactive authentication ~ above the neighborhood computer.

Multiple network authentications are complied with by among the other scenarios. Because that example, a user authenticates to an Internet organization provider (ISP), authenticates to a VPN, and also then offers their user account credentials to log in on locally.

Cached credentials are disabled, and a Remote access Services link through VPN is required before local logon to authenticate the user.

A domain user go not have actually a local account collection up top top a domain-joined computer and must establish a Remote accessibility Services link through VPN connection prior to completing interaction logon.

Network authentication and also computer logon space handled by the very same credential provider. In this scenario, the user is forced to attach to the network before logging on to the computer.

Logon tile enumeration

The credential provider enumerates logon tiles in the adhering to instances:

For those operating solution designated in the Applies to perform at the start of this topic.

The credential provider enumerates the tiles for workstation logon. The credential provider commonly serializes credentials because that authentication to the regional security authority. This procedure displays tiles details for every user and specific to each user"s target systems.

The logon and authentication architecture lets a user use tiles enumerated by the credential provider come unlock a workstation. Typically, the at this time logged-on user is the default tile, yet if more than one user is logged on, numerous tiles room displayed.

The credential provider enumerates tiles in response to a user inquiry to change their password or other private information, such as a PIN. Typically, the right now logged-on user is the default tile; however, if an ext than one user is logged on, countless tiles space displayed.

The credential provider enumerates tiles based on the serialized credentials to be provided for authentication on far computers. Credential UI go not usage the same circumstances of the provider together the Logon UI, Unlock Workstation, or adjust Password. Therefore, state info cannot be kept in the provider between instances that Credential UI. This structure outcomes in one tile because that each remote computer logon, suspect the credentials have been effectively serialized. This script is likewise used in User Account manage (UAC), i m sorry can aid prevent unauthorized transforms to a computer system by prompting the user for permission or an administrator password prior to permitting action that can potentially impact the computer"s procedure or that could readjust settings that affect other customers of the computer.

The complying with diagram reflects the credential procedure for the operating systems designated in the Applies To list at the beginning of this topic.


Credential input because that application and service logon

Windows authentication is design to regulate credentials for applications or solutions that carry out not require user interaction. Applications in user setting are limited in terms of what mechanism resources lock have access to, while services have the right to have unrestricted access to the mechanism memory and also external devices.

System services and transport-level applications access an protection Support Provider (SSP) through the defense Support Provider interface (SSPI) in Windows, which provides functions for enumerating the defense packages obtainable on a system, choosing a package, and using the package to achieve an authenticated connection.

When a client/server connection is authenticated:

The applications on the client side the the link sends credentials come the server by making use of the SSPI function InitializeSecurityContext (General).

The application on the server next of the connection responds v the SSPI function AcceptSecurityContext (General).

The SSPI functions InitializeSecurityContext (General) and also AcceptSecurityContext (General) are recurring until every the vital authentication messages have been exchanged to either succeed or fail authentication.

After the connection has been authenticated, the LSA on the server uses details from the client to build the protection context, which has an access token.

The server deserve to then contact the SSPI function ImpersonateSecurityContext to connect the accessibility token to an impersonation thread for the service.

Applications and also user mode

User mode in windows is created of two systems capable of passing I/O requests come the ideal kernel-mode drivers: the atmosphere system, which runs applications created for countless different varieties of operation systems, and the integral system, i m sorry operates system-specific attributes on behalf of the environment system.

The integral device manages operating system"specific attributes on instead of of the environment system and also consists the a defense system process (the LSA), a workstation service, and a server service. The security system process deals with security tokens, sponsor or denies permissions to access user accounts based on source permissions, handle logon requests and initiates logon authentication, and also determines which system resources the operating device needs come audit.

Applications deserve to run in user setting where the application have the right to run as any kind of principal, including in the defense context of local System (SYSTEM). Applications can likewise run in kernel mode where the application have the right to run in the security context of neighborhood System (SYSTEM).

SSPI is easily accessible through the Secur32.dll module, i beg your pardon is an API offered for obtaining integrated security services for authentication, post integrity, and also message privacy. It gives an abstraction layer in between application-level protocols and security protocols. Due to the fact that different applications require different ways of identify or authenticating users and also different means of encrypting data as it travels across a network, SSPI offers a way to access dynamic-link libraries (DLLs) the contain different authentication and also cryptographic functions. These DLLs are dubbed Security Support providers (SSPs).

Managed company accounts and virtual account were introduced in home windows Server 2008 R2 and also Windows 7 come provide an important applications, such together SQL Server and Internet info Services (IIS), with the isolation of their very own domain accounts, while eliminating the need for an administrator to manually administer the service principal surname (SPN) and also credentials because that these accounts. For much more information around these features and also their duty in authentication, check out Managed business Accounts Documentation for home windows 7 and also Windows Server 2008 R2 and Group Managed company Accounts Overview.

See more: Charli Xcx See Through Bra And Panties, Charli Xcx Teases Fans In See

Services and kernel mode

Even though most Windows applications operation in the defense context the the user that starts them, this is no true that services. Many Windows services, such as network and printing services, room started through the business controller as soon as the user start the computer. This services might run as Local company or neighborhood System and also might proceed to operation after the last person user logs off.