Windows Server 2008 R2 and Windows 7 restricts NTLM authentication usage out of the box. This feature is known as NTLM blocking. NTLM blocking prevents NTLM from being used for authentication
The NetLogon service is responsible for implementing pass-through authentication. To perform pass-through authentication, the service:
- Selects the domain to pass the authentication request to.
- Selects the server within the domain.
- Passes the authentication request through to the selected server.
Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.