LDAPWiki: How passwords are used in Windows

Overview[1]#

How passwords are used in Windows (and password-hash) is not all about Microsoft Active Directory.

When a user logs on, the password the user types is converted into password-hash and held in Random Access Memory (RAM) by the Local Security Authority Subsystem Service (LSASS) process. If the user using a local account for authentication, the Hash Functions is compared against the locally stored NTLMv2 Hash, and if the two match, the user Authenticated.

If the user is authenticating against an Microsoft Active Directory AD DOMAIN by using a hostname to access a resource, the NTLMv2 Hash is used in a Kerberos logon against the Key Distribution Center (KDC), which is typically a Domain Controller. The password verifier is computed by Netlogon service, not LSASS.

Kerberos cannot be used in the following situations:

authentication against a AD DOMAIN running only Windows NT 4.0 or earlier
Accessing a resource on an non-Domain Controller by using an IP Address rather than a hostname
Accessing a resource on a computer that is not a member of an AD DOMAIN
Accessing any resource on a computer running that does not support Kerberos

In these situations, the authentication process uses different protocols that are determined by the LAN Manager authentication level Group Policy Object setting.

There might be more information for this subject on one of the following: