Overview#

Netlogon service is a Authentication Mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates Domain Controllers.

Netlogon service can only be used after user, service, or computer authentication has taken place. During network logon, the process does not use the credentials entry dialog boxes to collect data. Instead, previously established credentials or another method to collect credentials is used. This process confirms the user's identity to any network service that the user is attempting to access. This process is typically invisible to the user unless alternate credentials have to be provided.

To provide this Authentication Mechanism, the security system includes these authentication mechanisms:

• Kerberos version 5 protocol
• Public Key certificates
• Secure Socket Layer/Transport Layer Security (SSL/TLS)
• Digest SSP
• NTLM, for compatibility with Windows Server NT 4.0-based systems
• Netlogon Remote Protocol

More Information#

There might be more information for this subject on one of the following:

• Event 4625
• How Domain Controllers Are Located in Windows
• How passwords are used in Windows
• INTERDOMAIN_TRUST_ACCOUNT
• LDAP Signing
• LDAP ping
• Netlogon Remote Protocol
• Netlogon attribute
• Windows Authentication Package

---

• [#1] - windows-logon-scenarios - based on information obtained 2018-11-02
• [#2] - CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability - based on information obtained 2020-10-12