Protocol Selection

The following processes determine whether the Kerberos or NTLM protocol is used to complete the
network authentication process:
1. After the user name and password are entered, the LSA passes this information to the Security
Support Provider Interface (SSPI), an interface that communicates with both the Kerberos and
NTLM services.
Tip SSPI also allows developers to write “security-aware” applications whether the Kerberos or
NTLM protocol is used.
2. SSPI passes the user name and password to the Kerberos Security Support Provider (SSP), which
exchanges messages directly with the domain’s Kerberos Key Distribution Center (KDC). The
Kerberos SSP determines whether the target computer name is the local computer or the domain
name.
3. If the domain name is referenced and the KDC recognizes the user name, the Kerberos
authentication process proceeds.
4. If the user name is not recognized, the KDC passes an internal error message to the SSPI. If a KDC
cannot be found, the following message (transparent to the user) is passed back to the LSA:
“No logon server available.”
5. The internal error message triggers the process to start over again. MSGINA passes the
information to LSA again, and then LSA passes the information back to SSPI.
6. SSPI then passes the user name and password to the NTLM driver, MSV1_0 SSP. MSV1_0 then
uses the Net Logon service to complete the NTLM authentication process.
If both the Kerberos and NTLM protocols fail to authenticate the user account, the following error
message appears, and the user can try to log on again:
Note: Some parts of the following code snippet have been displayed in multiple lines only for better
readability. These should be entered in a single line.