pass-through authentication

Definition of pass-through authentication in The Network Encyclopedia.

What is pass-through authentication?

In Microsoft Windows NT–based networks, a method of performing authentication to a domain controller that resides in a trusted domain. Pass-through authentication enables users to log on to computers in domains in which they do not have a valid user account.

Users in a multidomain Windows NT–based network can thus access resources anywhere in the enterprise for which they have suitable permissions.

How It Works

Consider the example of an enterprise consisting of three domains - two resource domains (the trusting domains) in which network resources such as shared folders or printers reside, and a master domain (the trusted domain) in which all user accounts are defined. The resource domains trust the master domain using Windows NT one-way nontransitive trusts. When a user attempts to log on to a computer in a resource domain, pass-through authentication takes place in one of two ways:

  • When the user first logs on to the computer, the domain controller in the resource domain passes the user’s credentials to the domain controller in the master domain. The user is authenticated, and the user’s security identifier (SID) and group membership are returned to the domain controller in the resource domain.
  • If the user tries to access a shared folder or printer in the other resource domain, the user’s credentials are passed to the domain controller in the master domain in order to be authenticated for resource access.