网络访问认证原则和实例 The information in this article applies to: ? Microsoft Windows NT Advanced Server, version 3.1 ? Microsoft Windows NT Server versions 3.5, 3.51, 4.0 The following is a simplified algorithm算法that explains how Windows NT Advanced Server account validation确认is observed to function during network access. This discussion does not cover the internal workings of this process. With this information, you can predict Windows NT network logon behavior under deterministic conditions. 你可以预知特定情况下NT的网络登陆过程。 Keep in mind when following this article that the local database is the ONLY database on a domain controller. But on the other server and all workstations the local database is different than the domain controller. 需要说明的是 ,本文说明的本地数据库是一个在域控制器上本地数据库。但是其他的普通服务器和工作站的数据库和域控制器数据库是不一样的 。 NOTE: All references提及to Windows NT Advanced Server in this article also include Windows NT Server. Background Information When two Microsoft network systems communicate over a network, they use a high-level protocol called server message block (SMB). These commands are embedded within the transport protocols like NetBEUI or TCP/IP. 当两个微软网络操作系统进行网络通信时,他们使用SMB高层协议。这些操作包含在NETBEUI或者TCP/IP协议中。 When a client carries out a NET USE command, it sends out a "SMB Session Setup and X" frame. 当一个 客户端发送一个NET USE命令,它发送一个"SMB Session Setup and X"帧。 In Windows NT, the Session Setup SMB includes the user account, a function of the encrypted password and login domain. 在NT中,一个SMB会话包括用户账号,加密的PASSWD函数和登陆域的信息。 An Advanced Server will look at all of this information to determine if the client has permissions to complete the NET USE command. 一个高级服务器会根据所有这些信息来判断客户端是否有权限完成NET USE命令。 Algorithm算法 Windows NT workstation sends the following command to an Advanced Server: NET USE x: \\server\share The Windows NT client sends a Session Setup SMB that contains its Login Domain, User Account and Password. NT客户端发送一个包括用户账号,加密的PASSWD函数和登陆域的信息的SMB会话。 一服务器检查这个SMB会话包含的 域信息,如果是自己这个域,那么 The Advanced Server checks the SMB specified Domain name If the domain is the Advanced Server's own Domain then It checks its own Domain SAM[Security Account Manager]database for a matching account. 它从自己的 DOMAIN SAM 中寻找匹配的 用户账号 If it finds a matching account then 如果找到匹配的 用户账号 The SMB password is compared to the Domain Database password. 利用SMB会话中包含的密码和DOMAIN SAM中储存的 用户密码进行比较 If the password matches then 如果密码匹配 The Command Completed Successfully. 命令执行成功 If the password does NOT match then 如果密码不匹配 User is prompted for a password. 提示用户输入密码 It is retested as above. 重新进行以上验证 System error 1326 has occurred. Logon failure: unknown user name or bad password. 系统错误提示1326。登陆失败:未知的用户名或者错误的 密码。 End If it does NOT find the account in the domain SAM database then 如果在SAM中没有找到匹配的用户 Guest permissions are tested. 验证GUEST权限 If the Guest account is Enabled 如果GUEST账号是被激活 The Command Completed Successfully. 命令执行成功 If the Guest account is Disabled 如果GUEST账号是禁止的 * See Note A. User is prompted for a password. 提示用户输入密码 System error 1326 has occurred. Logon failure: unknown user name or bad password. 系统错误提示1326。登陆失败:未知的用户名或者错误的 密码。 End 二如果SMB会话中包含的 域信息是这个服务器所信赖的域 If the Domain specified in the SMB is one that the Advanced Server TRUSTS then The Advanced Server will do pass through authentication. The network logon request will be sent to an Advanced Server in the specified Trusted Domain. 这个服务器将传递认证过程,网络登陆要求将被发往这个信赖域的域控制器。 The Trusted Domain Advanced Server checks its own Domain database for a matching account. 这个信赖域的域控制器检查自己的SMB有没有匹配的 用户账号 If it finds a matching account then 如果找到了匹配的用户账号 It looks to see if the Account is a Local or Global Account. 查询这个账号是本地组还是全局组 If the Account is Local then 如果这个账号是本地组账号 Guest permissions on the Original Server are tested. 最初的 服务器进行GUEST权限验证 If the Guest account is Enabled 如果GUEST账号是被激活 The Command Completed Successfully. 命令执行成功 If the Guest account is Disabled 如果GUEST账号是禁止的 * See Note A. User is prompted for a password. 提示用户输入密码 System error 1326 has occurred. Logon failure: unknown user name or bad password. 系统错误提示1326。登陆失败:未知的用户名或者错误的 密码。 End If the Account is Global 如果这个账号是全局组账号 The SMB password is compared to the Domain Database password. 利用SMB会话中包含的密码和DOMAIN SAM中储存的 用户密码进行比较 If the password matches then 如果密码匹配 The Command Completed Successfully. 命令执行成功 * See Note B. If the password does NOT match then 如果密码不匹配 User is prompted for a password. 提示用户输入密码 It is retested as above. 重新进行以上验证 System error 1326 has occurred. Logon failure: unknown user name or bad password. 系统错误提示1326。登陆失败:未知的用户名或者错误的 密码。 End If it does NOT find the account in the Trusted domain database then 如果在信任域的SAM中没有找到用户账号 Guest permissions are tested on the ORIGINAL Advanced Server -NOT the Trusted Advanced Server. * See Note C. 最初的 服务器(而不是信任域服务器)进行GUEST权限验证 If the Guest account is Enabled User will have original server guest access. 用户获得最初服务器的GUEST权限 The Command Completed Successfully. If the Guest account is Disabled * See Note A. User is prompted for a password. System error 1326 has occurred. Logon failure: unknown user name or bad password. End 三如果SMB中的域信息对于高级服务器来说是未知的。(域说明存在但是不是目标服务器所信赖的域) If the Domain specified in the SMB is UNKNOWN by the Advanced Server. [A Domain was specified but it was not recognized by the Server as a Trusted Domain or its own.] It will check its own Domain Account Database for a matching account 它从自己的 DOMAIN SAM 中寻找匹配的 用户账号 If the Advanced Server finds a matching account then 如果找到匹配的 用户账号 The SMB password is compared to the Domain Database password. 利用SMB会话中包含的密码和DOMAIN SAM中储存的 用户密码进行比较 If the password matches then 如果密码匹配 The Command Completed Successfully. If the password does NOT match then 如果密码不匹配 The User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If it does NOT find the account in the domain database then 如果没有找到匹配的 用户账号 Guest permissions are tested. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled System error 1326 has occurred. Logon failure: unknown user name or bad password. End 四如果SMB中没有说明域信息 If the Domain specified in the SMB is NULL [None specified] then The Advanced Server will treat this a local network logon. It will check for a matching account in its own SAM Database. 高级服务器将把这个SMB视为来自本地网络登陆,它将在自己的SAM中寻找匹配的用户账号 If it finds a matching account then The SMB password is compared to the SAM Database password. If the password matches then The Command Completed Successfully. If the password does NOT match then The User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If it does NOT find the account in the local SAM Database then 如果在本地SAM中没有找到匹配的用户 The Advanced Server will Simultaneously ask another Advanced Server in each Domain that it Trusts if it has account that matches the SMB account. 高级服务器将同时询问它的其他信任域中的域控制器是否有匹配的SAM用户账号 The first Trusted Advanced Server to reply is sent a request to perform pass through authentication of the client information. 第一个回复的信任域控制器要求发送传递客户信息的认证 The Trusted Advanced Server will look in its own SAM Database. 这个回复信任域控制器查询自己的SAM数据库 If an account that matches the SMB account is found then 如果找到匹配的 用户账号 It looks to see if the Account is a Local or Global Account. If the Account is Local then Guest permissions on the original Server are tested. If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled The user will be prompted for a password. No matter what password is entered, user will receive "Error 5: Access has been denied." End If the Account is Global The password specified in the SMB is compared to the SAM Database password. If the password matches then The Command Completed Successfully. If the password does NOT match then The User is prompted for a password. It is retested as above. System error 1326 has occurred. Logon failure: unknown user name or bad password. End If no Trusted Domains respond to request to identify the account then 如果没有信任域回复请求认证这个账号 Guest permissions are tested on the Original Advanced Server - not the Trusted server. 原始服务器进行GUEST权限测试(不是信任域控制器) If the Guest account is Enabled The Command Completed Successfully. If the Guest account is Disabled 如果GUEST账号失活 System error 1326 has occurred. Logon failure: unknown user name or bad password. End Notes 1. At the point that the GUEST account is disabled and the user does not have an account, the Windows NT Server will still request a password. Although no password will meet its requirements, it will still request it. This is a security measure. It insures that an unauthorized user cannot tell the difference between a case where an account exists and when the account does not exist. Password prompting always occurs regardless if the account exists. 如果GUEST账号失活并且用户账号不存在,NT将请求一个密码,尽管不需要它仍然会这么做。这是个安全特性,确保未授权的用户不能区分他请求的这个账号是否存在。密码提示总算会出现而不管这个账号是否存在。 2. At this point, the following information is returned from the Trusted Domain in the Response: Domain SID, User ID, Global Groups Memberships, Logon Time, Logoff Time, KickOffTime, Full Name, Password LastSet, Password Can Change Flag, Password Must Change Flag, User Script, Profile Path, Home Directory and Bad Password Count. 这时候下面这些信息将被返回给信任域:域SID,用户SID,全局组成员人数,登陆时间,注销时间,KickOffTime, 全名, 密码最后修改,Password Can Change Flag, Password Must Change Flag, User Script, Profile Path, Home Directory and Bad Password Count. ? Guest account only matters in the domain of the Server you are attempting to access. Guest accounts on trusted domains never come into play. GUEST账号只会关系到你尝试访问的域控制器,信任域是决不会允许GUEST账号进入的。 ? All steps above assume Global Account unless specified as Local Account. See the "Concepts and Planning Guide" for more information on account types. ? The actual internal process is more complicated than the steps described above. 真实的内部进程比上面描述的更加复杂。 ? This does not cover the actual pass-through authentication mechanics. For more information, query on the following words in the Microsoft Knowledge Base: authentication and msv ? This does not cover the password encryption process used in Windows NT. For more information, query on the following words in the Microsoft Knowledge Base: authentication and msv A function of the One Way Encrypted password is sent. ? This article does not detail the internal workings of the MS Authentication Module. ? The above model assumes that the Guest Account, when enabled, has no password. This is the default in Windows NT. If a guest account password is specified, it must match the users password that sends in the SMB. 在NT中,如果GUEST账号激活的话,默认是没有密码的。如果对GUEST账号进行过配置的话就会对SMB包的用户密码进行匹配。 Example The following are examples of this algorithm in action: I am logged on to my Windows NT workstation local computer. I am using the same account name and password that is in SCRATCH-DOMAIN Advanced Server Domain account database. When I carry out the NET USE \\SCRATCH (Domain Controller for SCRATCH-DOMAIN) command, the command completes successfully. When I carry out the NET USE \\NET (Controller that Trust SCRATCH-DOMAIN) command. I receive the error message "System error 1326 has occurred. Logon failure: unknown user name or bad password." My account \SCRATCH-DOMAIN\USER1 has permissions on \\NET? What is the problem? Configurations Windows NT workstation: -Login account: USER1 -Password: PSW1 -Login Domain: LOCAL1 Windows NT Advanced Server: -Server Name: NET</ITEM> -Advanced Server Domain: NET-DOMAIN</ITEM> -Trust: NET-DOMAIN Trust SCRATCH-DOMAIN (Therefore, accounts on SCRATCH-DOMAIN can be granted permissions in the NET- DOMAIN. ? Domain Account Database for NET-DOMAIN does NOT contain an account for USER1. ? Guest Account is DISABLED. Windows NT Advanced Server: -Server Name: SCRATCH -Advanced Server Domain: SCRATCH-DOMAIN -Domain Database contains account: USER1 -Domain Database contains password: PSW1 Answer In this example, the Windows NT workstation is logged on to its local workstation domain--not the Advanced Server SCRATCH-DOMAIN where its domain account resides. NET USE x: \\NET\share ? When the Windows NT workstation carried out the NET USE x: \\NET\share command, it sent out account = "USER1", password = "PSW1" and domain = "LOCAL1" in the Session Setup SMB. ? The Advanced Server \\NET received the SMB and looked at the account name. ? It looks in its local domain account database and does not find a match. ? \\NET then looks at the SMB Domain name. ? It does not trust "LOCAL1" so it does not check any of its trusted domains. ? \\NET then checks its Guest account. ? The guest account is disabled so the "System error 1326 has occurred. Logon failure: unknown user name or bad password." message is generated. NET USE x: \\SCRATCH\share ? When the Windows NT workstation carried out the NET USE x: \\SCRATCH\share command, it sent out account = "USER1", password = "PSW1" and domain = "LOCAL1" in the Session Setup SMB. ? The Advanced Server \\SCRATCH receives the SMB and looks at the account name. ? It looks in its local domain account database and finds a match. ? \\SCRATCH then compares the SMB password to the Domain account password. ? The passwords match so the "Command Completes Successfully" message is generated. In these cases, the trust relationship does not come into play. If the Workstation had been logged on to the SCRATCH-DOMAIN, the NET USE x: \\NET\share command would have been successful. 在这个例子中,信任关系没有被使用,如果这个工作站登陆到了SERARTCH域,那么NET USE x: \\NET\share将成功。 The real answer here is to have all workstations log on to an Advanced Server domain. In order to login, the user must specify their correct domain, account, and password. After this is done, all NET USE type commands will pass the correct domain, account, and password. Administrators should try and avoid duplicate accounts on both Windows NT workstations and multiple Advanced Server domains. USER: Workaround There is one workaround that can be used in these cases. From the Windows NT workstation, you could carry out the following command NET USE X: \\NET\SHARE /USER:SCRATCH-DOMAIN\USER1 PSW1 where - \\NET = The computer name of the Advanced Server being accessed. - \SHARE = The share name. - /USER: command line parameter that lets you specify the domain, account and password that should be specified in the Session Setup SMB. - SCRATCH-DOMAIN = Domain name of the Advanced Server where the user account resides. - \USER1 = account to be validated against. - PSW1 = password that matches account on the domain. For more information, type the following at a Windows NT command prompt: NET USE /? NULL Domain Names In addition to Windows for Workgroups 3.1, other Microsoft network clients also send NULL Domain Names in the Session Setup SMB [x73]. 从WORKGROUPS 3.1允许在SMB会话中发送一个空的域名在SMB会话中。 They will also exhibit展示the behavior described above in the example problem. The following is a table of how each client handles the Domain Name. MS Network Domain Name Client Specified --------------------------------------------- Windows for Workgroups 3.1 NULL Windows for Workgroups 3.11 Logon domain name. MS OS/2 LAN Manager 2.0, 2.1, and 2.2 NULL MS-DOS LAN Manager 2.0 NULL MS-DOS LAN Manager 2.1 & 2.2 Logon domain name. * See Note below. (Including Windows on MS-DOS) Windows NT 3.1 Logon domain name. Notes The default domain name is specified in the LANMAN.INI file on the "DOMAIN =" line. This can be overridden by the /DOMAIN: switch with the NET LOGON command. 默认的域名描述是在LANMAN.INI文件的"DOMAIN ="行。可以利用改写这个来切换网络登陆命令。 There are typically two representations for "NULL" in the SMB: A zero-length domain name and a one-byte domain name consisting of the character '?'. The Windows NT SMB server catches the '?' and translates it to NULL before passing it to the local security authority (LSA). 有两种情况会在SMB包中引起"NULL"域名。一个zero-length的名字和一个包含了'?'字符的域名。NT 的SMB server 在收到'?'字符时会把它解释成空字符当它接受LSA验证的时候。 Troubleshooting解决之道 A good tip for troubleshooting network access problems is to enable auditing by doing the following: 1. In the User Manager for Domains window, choose Audit from the Policies menu. 2. Select the Audit These Events button. 3. Select the Logon and Logoff Success and Failure options 选择审核登陆和注销登陆. Now, anytime a network user access this server remotely, an audit trail will be logged in the Event Viewer. In the Event Viewer, choose Security from the Log menu to see the events. 任何时候的网络用户登陆都会在安全日志中留下记录。 For information on trust relationships, pass-through authentication, user permissions, and domain logins, please see your Windows NT Advanced Server "Concepts and Planning" guide or query on the following words in the Microsoft Knowledge Base: authentication and pass-through Additional query words: wfw wfwg prodnt Keywords : kbnetwork Issue type : Technology : kbWinNTsearch kbWinNT351xsearch kbWinNT350xsearch kbWinNT400xsearch kbWinNTSsearch kbWinNTS400xsearch kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS351xsearch kbWinNTS350xsearch My example 1: Yawl机器上有lilu用户,我机器上也有 lilu用户,密码不一样。Yawl机器登陆到GC域 当我用kknd(本地的其他用户)登陆到本地以后, C:\Documents and Settings\lilu>net use o: \\192.168.7.60\temp /user:lilu 密码或用户名在 \\192.168.7.60\temp 无效。 请键入 \\192.168.7.60\temp 的密码:输入yawl上的lilu密码 系统发生 1326 错误。 登录失败: 未知的用户名或错误密码。 //此处推测是因为yawl已经登陆倒GC域,如果不制定域的话,会当成认证GC域上的lilu用户。 C:\Documents and Settings\lilu>net use o: \\192.168.7.60\temp /user:gc\lilu 密码或用户名在 \\192.168.7.60\temp 无效。 请键入 \\192.168.7.60\temp 的密码: 输入yawl上的lilu密码 系统发生 1326 错误。 登录失败: 未知的用户名或错误密码。 C:\Documents and Settings\lilu>net use o: \\192.168.7.60\temp /user:gc\lilu 密码或用户名在 \\192.168.7.60\temp 无效。 请键入 \\192.168.7.60\temp 的密码: 输入GC上的lilu密码 命令成功完成。 //因为YAWL上的TEMP共享是对EVERYONE开放的。 C:\Documents and Settings\lilu>ping -a 192.168.7.60 Pinging IS~YAWL [192.168.7.60] with 32 bytes of data: Reply from 192.168.7.60: bytes=32 time<10ms TTL=128 C:\Documents and Settings\lilu>nbtstat -A 192.168.7.60 本地连接: Node IpAddress: [192.168.7.10] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- INet~Services <1C> GROUP Registered IS~YAWL........<00> UNIQUE Registered YAWL <00> UNIQUE Registered GC <00> GROUP Registered GC <1E> GROUP Registered YAWL <20> UNIQUE Registered MAC Address = 00-01-02-80-2A-8B C:\Documents and Settings\lilu>ping yawl Pinging yawl [192.168.7.60] with 32 bytes of data: Reply from 192.168.7.60: bytes=32 time<10ms TTL=128 C:\Documents and Settings\lilu>net use o: \\192.168.7.60\temp /user:yawl\lilu 密码或用户名在 \\192.168.7.60\temp 无效。 请键入 \\192.168.7.60\temp 的密码:输入YAWL上的lilu密码 命令成功完成。 My example 2: Zer9(WIN2K)机器上有guest用户,zer9机器没有登陆到GC域 当我用kknd(本地的其他用户)登陆到我自己的本地以后, C:\Documents and Settings\lilu>net use h: \\192.168.8.66\avi /user:guest 密码或用户名在 \\192.168.8.66\avi 无效。 请键入 \\192.168.8.66\avi 的密码: 系统发生 1326 错误。 登录失败: 未知的用户名或错误密码。 C:\Documents and Settings\lilu>net use h: \\192.168.8.66\avi /user:local\guest 密码或用户名在 \\192.168.8.66\avi 无效。 请键入 \\192.168.8.66\avi 的密码: 输入Zer9上的guest密码 命令成功完成。 最重要的一点是可以用local来制定是目标机上的用户。 My example 3: Files(192.168.0.10)机器上有lilu用户,是GC域的DC,我机器上也有 lilu用户,密码一样。 1)我机器登陆到GC域以后,如果登陆用户是LILU,直接就可以访问FILES机器上的共享。 2)当我用kknd(本地的其他用户)登陆到本地以后,如果要访问\\192.168.0.10\file。 C:\Documents and Settings\lilu>net use h: \\192.168.0.10\file /user:lilu 密码或用户名在 \\192.168.0.10\file 无效。 请键入 \\192.168.0.10\file 的密码:输入GC上的LILU的密码 系统发生 1326 错误。 登录失败: 未知的用户名或错误密码。 C:\Documents and Settings\lilu>net use h: \\192.168.0.10\file /user:gc\lilu 密码或用户名在 \\192.168.0.10\file 无效。 请键入 \\192.168.0.10\file 的密码: 输入GC上的LILU的密码 命令成功完成。 //原因分析是,FILES机器发现我机器发出的SMB中的域信息是未知的,它从自己的 DOMAIN SAM 中寻找匹配的 用户账号。(这里需要说明的是FILES机器上是没有LILU这个账号的,而GC域有这个用户)如果找到匹配的 用户账号,利用SMB会话中包含的密码和DOMAIN SAM中储存的 用户密码进行比较.如果密码匹配, The Command Completed Successfully. 如果密码不匹配。System error 1326 has occurred. Logon failure: unknown user name or bad password.如果没有找到匹配的 用户账号, Guest permissions are tested. If the Guest account is Enabled, The Command Completed Successfully. If the Guest account is Disabled。 System error 1326 has occurred. Logon failure: unknown user name or bad password.(怀疑开始没有制定GC域信息的时候,是给出一个GUEST账号来迷惑,参见上面的 NOTE1) my tips 当访问网络共享出现1240错误时 System error 1240 has occurred. The account is not authorized to login from this station. 在注册表中修改 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] "enableplaintextpassword"=dword:00000000 "enablesecuritysignature"=dword:00000001 "requiresecuritysignature"=dword:00000000 "OtherDomains"=hex(7):00,00 http://support.microsoft.com/support/kb/articles/q224/2/87.asp 此文章说要将"enableplaintextpassword"该为1。但我没有这么作。也没有出现了1240错误。 总的来说应该是由于SMB的加密引起的。 E:\tools\scaner>net use \\192.168.7.40\ipc$ /user:"" 系统发生 67 错误。 找不到网络名。 E:\tools\scaner>net use \\192.168.7.40\ipc$ "" /user:"" 命令成功完成。 原理分析,没有加“”的时候自动把本地的/user:""密码提交了,所以无法连接。 用了””后等于明确指出是空密码。 |