You've probably heard a lot about how Windows NT 5.0 is opening the door to a wider range of authentication protocols than existed in previous versions of NT. In fact, NT 5.0 will use a Kerberos-based authentication library in place of MSV1_0 for domain logon, and it will store domain, account, group, and alias information in the Active Directory (AD) rather than the Security Accounts Manager (SAM). NT 5.0 will continue to store local account, group, and alias information in the SAM, and MSV1_0 will still be responsible for local logon and logons to pre-NT 5.0 (e.g., NT 4.0) domains.

In the NT 5.0 logon model, the Local Security Authority Sub System (LSASS) passes identification and password information to the Kerberos authentication library. The library locates a nearby AD Key Distribution Center (KDC) server and forwards to the KDC a request that includes the client's name and proof that the client knows the password (the proof does not include the password). The AD server performs account and password look-ups in the directory and returns a ticket-granting ticket to the library. The library uses the ticket-granting ticket to obtain a ticket to the workstation the client is running on and then extracts the security identifiers (SIDs) from the ticket to pass back to LSASS. Kerberos uses private- and public-key password encryption, which is considered more secure than the encryption methods in previous versions of NT.

Kerberos is specified along with other add-on authentication packages in the new Security Packages Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa (which you see in Screen A). Specific applications choose which package they want to use, so application developers have more security options. One difference between security packages and authentication packages is that security packages (new to NT 5.0) support the Security Support Provider Interface (SSPI) and are integrated into LSASS, which gives them better access to tokens. Winlogon uses Kerberos for domain logon and MSV1_0 for local logon, but an Internet-based application can use secure socket authentication through a package such as the Schannel security package.