How Active Directory Authentication Works (Explained). Organizations use different authentication protocols to verify their users and grant them access to the domain. Among them, the most effective is the Active Directory Authentication.
What is Active Directory (AD)?
Active Directory is a directory service designed for Windows operating systems. In other words it is a database or set of services that connect users with the network resources they want to get their work done. All the crucial information concerning the environment is contained in their database. For example, it includes a list of multiple users with their relevant information like their job title, phone number and password. It also records the permission of each of these users.
Active Directory (AD) tends to control most of the activities performed in IT business. The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups and devices, and these objects are categorized according to their name and attributes. In brief, it is the foundation of identity protection. Hence it is essential to learn how does Active Directory Authentication works with Kerberos and we hope this article will provide you with detailed information on this topic.
Benefits Of Active Directory Authentication
Next part of this guide of how Active Directory Authentication Works its to explain it’s key benefits:
Provides Single Point Of Access To Resources
Active Directory uses a single sign on(SSO) to provide the user access to network resources available on any server within the domain. It identifies the users only once and then gives access to the network resources they have assigned their roles and privileges within the Active Directory.
Simplifies Resource Location
Centralizes Resources and Security Administration
Active Directory offers a single point from which administrators tend to manage and secure network resources. It is administered by an organization based on an organizational model, a business model, or the type of function administered. For instance, Active Directory allows an organization to choose an administrator based on the department in which their users work, their geographical locations, or the combination of both of these characteristics.
The main service in Active Directory is Domain Services (AD DS) that provides strong security and compliance features like password policies, data encryption that can be applied to specific objects or containers. AD DS security is key for any environment as it is foundation of identity protection. Active Directory also includes Lightweight Directory Services (AD LDS), Lightweight Directory Access Protocol (LDAP) or Federation Services (AD FS).
How Secure is Your Active Directory ?
78% of companies have an insecure Active Directory and are vulnerable to a potential attack!!
Download our FREE Active Directory Security Best Practices Compliance Checker
How Active Directory Authentication Works?
It is important to understand how Active Directory authentication works with Kerberos. The infrastructure uses different types of protocols. Similarly, Active Directory uses Kerberos version 5 as their authentication protocol to provide authentication between the server and the client in an open network where other systems are also connected.
Kerberos is about creating tickets. Tickets are issued by the trusted third party and utilize symmetric encryption (the key known only to the trusted third party) to establish their trust.
If two users are communicating regularly and are often exchanging confidential data with each other. In order to protect this information, they have agreed to use a password that will verify their identities before exchanging data. When the first person wants to communicate initially with the second person, he simply tells his name and waits for the other to verify it on the server. After getting identified, they both move further with their communication.
This communication occurs in a single network having multiple connected systems. Now let’s assume a third person is also connected on the same network where the first and the other person is communicating. He knows the entire communication between the two.
So he can read all the data that has been exchanged between the two. Once he found the secret key, he start communicating with the second person pretending to be the first person. This way, he tends to acquire crucial secret information and can potentially misuse it for his purpose. Kerberos eliminates this issue by using shared symmetric crypto metrics key instead of the secrets. This key is also used for encryption and decryption.
Kerberos protocol has three main components, :
- the servers,
- the trusted authority, also known as the Key Distribution Center (KDC) that issues secret keys.
Before diving into the detailed overview of Kerberos, it is crucial to understand the working of typical Keys exchange.
Keys Distribution Center (KDC)
This part of how Active Directory Authentication Works (Explained) talks about keys exchange
KDC in Active Directory is a part of the domain controller (ADDC) It is responsible for two main functions:
- Authentication Service (AS).
- Ticket Granting Services (TGS).
- Client wants to verify himself to the KDC and he connects with the AS.
2. He presents to the AS his User ID, and requests a ticket to the targeted server. This request is partially encrypted with his password’s secret key.
3. The AS uses the client’s password to decrypt his request. This is how the AS verifies the user.
4. After verification the client, the AS sends the client a Ticket Granting Ticket (TGT). The TGT is encrypted with a different secret key.
5. After the client gets the TGT, he sends it to the TGS along with his request to access the target server.
6. When the TGS receives the TGT, it decrypts it with a secret key that he shares with the AS.
7. The TGS issues a token for the client, that it encrypts with another key. This third key is shared between the TGS and the targeted server.
8. The client sends the token to the client server. The targeted server will decrypt the token with the TGS shared key. Now the client can use the targeted server for a limited time (which is set by the token).
The Kerberos authentication process uses three different secret keys.
1. The first key between the client and the AS is based on the client’s password.
2. The AS and the TGS share another secret key.
3. The TGS and the targeted server.
How Active Directory Authentication Works (Explained) Conclusion
Although the working of Active Directory Authentication is relatively complicated, it can secure significant information from getting into the hands of a person that can misuse it. That is why Kerberos is a well known and widely used authentication protocol that also lies at the heart of Microsoft’s Active Directory.
Check out the following Active Directory Ports used by Active Directory Authentication.