Datasheet
1052
Understanding Authentication and Authorization
the access token or one of the groups contained in the access token are also
contained in the permission list, you are granted access to the resource. If
not, you get an access-denied message.
Figure 1-7:
Logging on
to Active
Directory in
a Microsoft
network
environment.
Logon Request Send to Domain Controller
Verified Against Active Directory
Logon Success or Failure Returned to Client
Windows Client
Windows Server
(Domain Controller)
Active Directory
Database
If you do not have a server-based network environment and you are simply
running Windows 2000 Professional or Windows XP, when you log on,
the logon request is sent to the local computer — to an account database
known as the Security Accounts Manager (SAM) database. When you log on
to the SAM database, an access token is generated as well, and that helps
the system determine what files you can access.
Smart card
Another type of logon supported by network environments today is the
use of a smart card. A smart card is a small, ATM card–like device that
contains your account information. You insert the smart card into a smart
49_487389-bk09ch01.indd 105249_487389-bk09ch01.indd 1052 9/10/09 11:03 PM9/10/09 11:03 PM