Anytime you have an authenticator, you have to store some form of it so that it can be compared at run time to what the principal enters when authenticating. The storage method differs depending both on the type of authenticator and how the designer built the system.

In this section we will discuss various ways authenticators are stored in Windows, particularly focusing on passwords because they are more commonly used and subject to far more variation than smart cards.

Smart cards rely on certificates. (For more information about certificates, see Chapter 10.) The smart card itself holds the secret portion of the certificate. The authentication system, in this case an Active Directory domain, holds the public ...