In a Windows domain environment, a secure channel provides a secure communication path between the following security principals:
- A workstation or member server and a domain controller (DC) in the same domain
- DCs in the same domain
- DCs in different domains
A secure channel always involves a DC. Think of a secure channel as the enabler of secure communication between machines and their trusted authority in the same domain, and between the trusted authorities of different domains. Secure in this context means providing authentication of the requestor and confidentiality, integrity, and data-authentication services for the data sent across the channel. Here are two examples of critical functions that secure channels perform in a Windows NT environment:
- A secure channel enables secure replication of the SAM data between the DCs of an NT domain.
- A secure channel enables secure exchange of Challenge/Response messages and pass-through authentication in an NT LAN Manager (NTLM) authentication sequence.
The service responsible for setting up secure channels is Netlogon, which creates secure channels at system startup time. A common misconception is that NetLogon sets up a secure channel with the closest DC. In reality, Netlogon creates a secure channel with the first DC that responds to a secure-channel request. In NT, the requestor of the secure channel uses NetBIOS name resolution to locate a DC. The NetBIOS name resolution can include NetBIOS broadcasts and WINS server queries. How NT resolves NetBIOS names depends on the configuration of NetBIOS name resolution. Is the requesting machine configured as a B, P, M or H NetBIOS node type? Also, does the machine's LMHOSTS file have a preloaded 1C entry for the domain? For more information about the NetBIOS node types, see the TCP/IP implementation details chapter in the networking guide of the Microsoft Windows NT Server 4.0 Resource Kit.