Authentication and Authorization Link to heading

Authentication and authorization are critical aspects of Active Directory (AD) that ensure secure access to network resources. This section provides an overview of Kerberos and NTLM authentication, and the basics of authorization mechanisms within AD.

Warning
Understanding the authentication and authorization processes is essential for securing network resources and ensuring that users have appropriate access based on their roles and permissions.

Kerberos Authentication Link to heading

Kerberos Protocol Overview Link to heading

  • Definition: Kerberos is a network authentication protocol designed to provide strong authentication for client-server applications by using secret-key cryptography.
  • Components:
    • Key Distribution Center (KDC): The server that issues tickets for authentication. It comprises two main services:
      • Authentication Service (AS): Issues the Ticket-Granting Ticket (TGT).
      • Ticket-Granting Service (TGS): Issues service tickets based on the TGT.
    • Client and Server: The client requests access to a service, and the server provides access based on the validation of the tickets.

Ticket-Granting Ticket (TGT) and Service Tickets Link to heading

  • Ticket-Granting Ticket (TGT):

    • Purpose: Issued by the Authentication Service (AS) after the client provides valid credentials. It allows the client to request service tickets without re-entering their password.
    • Content: Contains a session key and the client’s identity information, encrypted with the KDC’s secret key.

  • Service Tickets:

    • Purpose: Issued by the Ticket-Granting Service (TGS) based on the TGT. They are used to access specific services within the network.
    • Content: Contains a session key and the client’s identity information, encrypted with the service’s secret key.

How Kerberos Works in AD Link to heading

  • Process:

    • Initial Authentication: The client authenticates with the AS to obtain a TGT.
    • Service Request: The client presents the TGT to the TGS to receive a service ticket for a specific resource.
    • Accessing Service: The client presents the service ticket to the server hosting the resource, which grants access if the ticket is valid.

  • Advantages:

    • Single Sign-On (SSO): Users need to authenticate only once to access multiple services.
    • Mutual Authentication: Both the client and the server authenticate each other to ensure secure communication.

NTLM Authentication Link to heading

When NTLM is Used Link to heading

  • Definition: NTLM (NT LAN Manager) is a challenge-response authentication protocol used for network authentication.
  • Usage: NTLM is used in environments where Kerberos is not available or applicable, such as in older systems, or in scenarios involving non-Windows systems.
  • Fallback: NTLM may be used as a fallback method when Kerberos authentication fails or when dealing with legacy applications.

Differences Between NTLM and Kerberos Link to heading

  • Protocol:

    • Kerberos: Uses tickets and a centralized Key Distribution Center (KDC) for authentication.
    • NTLM: Uses a challenge-response mechanism without relying on a central authority.

  • Security:

    • Kerberos: Provides stronger security through mutual authentication and encryption of tickets.
    • NTLM: Has known security weaknesses, such as susceptibility to pass-the-hash attacks.

  • Efficiency:

    • Kerberos: More efficient with a single sign-on capability and reduced need for repeated authentication requests.
    • NTLM: Requires re-authentication for each request, which can lead to performance and security issues.

Authorization Basics Link to heading

Access Control Lists (ACLs) Link to heading

  • Definition: Access Control Lists (ACLs) are used to specify permissions for objects within AD, such as files, folders, and printers.
  • Components:
    • Access Control Entry (ACE): Each entry in an ACL that specifies permissions for a user or group.
    • Object Security Descriptor: Contains the ACLs associated with an object, defining the permissions granted or denied.

Permissions and Rights Link to heading

  • Permissions:

    • File and Folder Permissions: Control access to files and folders, including read, write, execute, and modify permissions.
    • Share Permissions: Control access to shared network resources, such as network folders and printers.

  • Rights:

    • User Rights: Specific rights assigned to users or groups that define what actions they can perform on a system, such as logging on locally or accessing remote desktop.
    • Group Policies: Used to enforce security settings and permissions across the network.
Info
Understanding the authentication and authorization mechanisms in AD is essential for securing network resources and ensuring that users have appropriate access based on their roles and responsibilities. Both Kerberos and NTLM play crucial roles in different scenarios, while ACLs and permissions help manage access control effectively.