Logon Types
Last updated
Last updated
Login via physical machine or via runas.exe
The computer checks the NT hash of the password entered by the user to that in the SAM database. NT hash derived from the user is now stored in the lsass process.
The computer asks for the TGT from the Domain Controllers, and the TGT gets cached in the system to provide SSO functionality. If the Domain Controller is not available, the computer checks the user credentials in the Domain Cached Credentails. To perform interactive logon, the user requires the SeInteractiveLogonRight, on the Domain Controllers.
When user connects to non-interactive services like SMB, RPC, SQL, etc.
Requires password, NT Hash, or kerberos keys for authentication. Prone to PTT and PTH.
Credentials are NOT cached in the target machine. Credentials/tickets are only cached in the case of Kerberos Delegations.
The client negotiate the authentication mechanism using .
Used in context of a scheduled task running as a user.
The password of the task user is stored in the LSA secret.
The password is cached in the lsass process when the task is executed.
Used in context of a service running as a user.
The plain password is stored in the LSA secrets when the task is created. The cached credentials are stored in the lsass process when the service is executed.
Used by Powershell remoting when CredSSP is specified. The credentials are sent over an encrypted channel.
The credential is cached in the lsass process in the target machine.
Is used when the the user runs runas with /netonly option.
The credential are cached in the lsass process.
The credentials are not checked until it is used.
Used when a user logins to the computer using RDP.
Credentials are cached in the lsass process.
It uses CredSSP to send credentials.
User needs to be part of "Remote Desktop Users" group or "SeRemoteInteractiveLogonRight" to be able to RDP.