When a user logs on, the password the user types is converted into password-hash and held in Random Access Memory (RAM) by the Local Security Authority Subsystem Service (LSASS) process. If the user using a local account for authentication, the Hash Functions is compared against the locally stored NTLMv2 Hash, and if the two match, the user is logged on.
If the user is authenticating against an Microsoft Active Directory AD DOMAIN by using a hostname to access a resource, the NTLMv2 Hash is used in a Kerberos logon against the Key Distribution Center (KDC), which is typically the Domain Controller. The password verifier is computed by WINLOGON, not LSASS.
Kerberos cannot be used in the following situations:
- authentication against a domain running only Windows NT 4.0 or earlier
- Accessing a resource on an non-Domain Controller by using an IP Address rather than a hostname
- Accessing a resource on a computer that is not a member of an AD DOMAIN
- Accessing any resource on a computer running that does not support Kerberos