Tintri Knowledge Base > 002 Knowledge Article Database > Authentication Process

Authentication Process

Applies To


Product(s): T445, T540, T6xx, T8xx

Product Version(s): Tintri OS v3.0 (and later).



A few things happen when a user tries to log in through the UI or REST API. This brief article aims to describe some of the internal workings of that process in the hope that it helps to resolve issues in the field. 


When a user goes to the UI login page or attempts to authenticate through the REST API, a number of things happen internally.



The username and password is passed from Systems Management to the Authentication Service that made its debut in version 3.0. The Authentication Service checks the username and password against the configured authentication profile (Active Directory, LDAP) and returns a pass/fail based on that.

Access Control


The Authentication Service is asked for a list of groups to which the user is a member. Groups may be nested (groups that are members of groups that are members of groups) and may well be in a different domain than the one the VMstore is aware. RBAC (Role Based Access Control) is performed by Systems Management to determine that the authenticated user is able to access the functionality they've requested (viewing pages, changing settings, manipulating security configuration).


The logging for the Authentication Service will be tagged with 'AUTH' or 'RESOLV' in the debug log, whereas SM RBAC functionality is logged in the UI debug log.

Each time a logged-in user requests a new UI page or makes a new REST API request, RBAC checks are done but authentication isn't required if the user's session was already authenticated.

This process applies to anything that uses the REST API directly or indirectly, including the PowerShell API bindings.

Last modified



This page has no classifications.