NT also supports an alternate form of user authentication, so-called LAN Manager authentication or LM authentication, for backward compatibility with earlier versions of Windows (Windows 3.1, Windows for Workgroups, and Windows 95). It is similar in overall operation to the NT authentication method but differs in implementation specifics. The authenticating server converts the user's password to all uppercase before hashing and storing it (in addition to the unmodified NT version of the password). The user's workstation converts the password submitted by the user to all uppercase. The workstation pads the user's password, which may be up to 14 characters long, with extra nulls (all zeroes) to make up 21 bytes. The software then divides the 21 bytes into three 7-byte groups, and converts each of them into a 64-bit encryption key. The security system then encrypts the nonce three times, once by each of the newly created encryption keys and returns it to the server. The server performs the same action on the locally stored password, using the all-uppercase LAN Manager version and compares the result with the values returned from the workstation. Which form of authentication applies depends on the workstation's operating system. The NT Server that authenticates domain users may choose to accept this latter form of authentication, or may allow only NT authentication, as determined by the administrator. The latter case
|
|
|
|
|
|
|
|