Active Directory Authentication
What is Active Directory Authentication?
In infrastructure, different authentication protocols are being used (e.g., LM, NTML, NTMLv2, Kerberos, LDAP) to verify users and grant them access to a domain.
Microsoft® Active Directory (AD) supports both Kerberos and the Lightweight Directory Access Protocol (LDAP). Kerberos is an open standard and provides interoperability with other systems, which use the same standard. The protocol offers strong authentication for clients and servers using secret-key cryptography. Instead of transmitting the user’s actual password over the network, Kerberos utilizes tickets.
AD Authentication and Kerberos
Tickets are issued by the Kerberos Key Distribution (KDC), which runs on the Domain Controller as part of Active Directory Domain Services (AD DS). When a user logs in to a system, the client requests a ticket for the user from the Key Distribution Center, leveraging the user’s password to encrypt the request. If the Kerberos Key Distribution can decrypt the request with the user’s password—which it knows—it then creates a ticket-granting ticket (TGT) for the user. The ticket-granting ticket encrypts the ticket with the user’s password and sends it back to the client.
If the client can decrypt the ticket with the password it has, it knows the Key Distribution Center is legitimate. A client requests a ticket for a service from the Key Distribution Center by presenting its ticket-granting ticket and a ticket-granting service (TGS) request that includes the name of the service it would like access to.
The Key Distribution Center then creates a service ticket encrypted with the service’s password hash, then encrypts the ticket and authenticator message with the shared ticket-granting service session key before finally sending it back to the client. The client subsequently requests access to the service by presenting the service ticket it obtained from the Key Distribution Center to the application server, which decrypts the message using its own password hash. If successful, the application server grants access to the client.
AD Authentication and LAPD
Active Directory also supports the Lightweight Directory Access Protocol for directory lookups, and it is not uncommon for it to be used in conjunction with Kerberos. In essence, Lightweight Directory Access Protocol allows systems and applications to talk to directory services such as Active Directory. When utilizing Lightweight Directory Access Protocol, there are two overarching mechanisms: simple authentication as well as the simple authentication and security layer (SASL).
The simple authentication method involves three approaches: anonymous authentication, unauthenticated authentication, and name/password authentication. Typically, simple authentication means a name and password are used to create a BIND request to the server for authentication. The simple authentication and security layer framework leverages another service—like Kerberos—to add another security layer to the authentication process.
Active Directory is a critical part of IT infrastructure. Without a proper approach to access, threat actors can put the entire IT environment at risk.