Windows XP Authentication Process

Windows XP Professional Authentication Process

To gain access to a computer running Windows XP Professional or to any resource on

that computer (whether the computer is configured to use the Welcome screen or the

Log On To Windows dialog box), you must provide a user name and possibly a pass-

word.

The way Windows XP Professional authenticates a user depends on whether the user

is logging on to a domain or logging on locally to a computer (see Figure)

Figure :  Windows XP Professional grants an access token based on user credentials during the authentication process.

The steps in the authentication process are as follows:

1.      The user logs on by providing logon credentials—typically user name and pass-

word—and Windows XP Professional forwards this information to the security

subsystem of that local computer.

2.      Windows XP Professional compares the logon credentials with the user informa-

tion in the local security database, which resides in the security subsystem of the

local computer.

3.      If the credentials are valid, Windows XP Professional creates an access token

for the user, which is the user’s identification for that local computer. The access token contains the user’s security settings, which allow the user to gain access tothe appropriate resources on that computer and to perform specific system tasks.

Secondary Logon service

How to Run Programs with Different User Credentials

Windows XP Professional allows you to run programs using user credentials that are
different from the currently logged-on user. Using different credentials is useful if you
are troubleshooting a user’s computer and do not want to log off and log back on
using administrative permissions just to perform a troubleshooting task or run a particular
program. Using this method is also more secure than logging on to a user’s computer
with administrative credentials.
Running a program with different credentials in Windows XP Professional relies on a
built-in service named the Secondary Logon service. This service must be running
(and it is by default on computers running Windows XP) to run a program with alternate
credentials.


To determine whether the Secondary Logon service is running (and enable the service
if it is not running), follow these steps:


1. Log on to the computer as Administrator or as a user with administrative permissions.
2. From the Start menu, click Control Panel.
3. In the Control Panel window, click Performance and Maintenance.
4. In the Performance and Maintenance window, click Administrative Tools.
5. In the Administrative Tools window, double-click Services.
6. In the Services window, locate the Secondary Logon service on the list of Services.
7. If the status for the Secondary Logon service is listed as Started, the service is
enabled, and you can close the Services window. If the status is listed as Manual
or Disabled, right-click the Secondary Logon service and click Properties.
8. On the General tab of the Secondary Logon Properties dialog box, on the Startup
type drop-down list, click Automatic.
9. In the Service Status section, click Start.
10. Click OK to close the Secondary Logon Properties dialog box, and then close the


Services window.


If the Secondary Logon service is running, you can run a program using different user
credentials than the currently logged-on user. On the Start menu, right-click the shortcut
for the program you want to run. On the shortcut menu, click Run As. In the Run
As dialog box that opens, you can run the program as the current user, or you can
enter an alternative user name and password. Microsoft recommends logging on with
a limited user account and using this technique to run applications that require administrative
privileges.