This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authentication and Authorization

Kerberos Authentication

Kerberos is the primary authentication protocol in Active Directory, providing secure, efficient authentication without transmitting passwords over the network.

Kerberos Components:

  • Key Distribution Center (KDC): Authentication service running on domain controllers

  • Authentication Server (AS): Issues ticket-granting tickets (TGTs)

  • Ticket Granting Server (TGS): Issues service tickets

  • Principal: Any entity that can be authenticated (user, computer, service)

Kerberos Authentication Process:

Step 1: Initial Authentication (AS Exchange)

  1. Client sends authentication request to KDC

  2. KDC verifies credentials and returns TGT encrypted with user's password hash

  3. Client decrypts TGT using password hash, proving identity

Step 2: Service Request (TGS Exchange)

  1. Client requests service ticket from TGS, presenting TGT

  2. TGS validates TGT and returns service ticket encrypted with service's password hash

  3. Service ticket contains session key for client-service communication

Step 3: Service Authentication (AP Exchange)

  1. Client presents service ticket to target service

  2. Service decrypts ticket and validates client identity

  3. Optional mutual authentication proves service identity to client

Kerberos Security Features:

  • Password Protection: Passwords never transmitted over network

  • Mutual Authentication: Both parties can verify each other's identity

  • Time-Limited Access: Tickets have expiration times

  • Replay Protection: Timestamps prevent reuse of intercepted tickets

NTLM Authentication

NTLM is a legacy authentication protocol still used in certain scenarios:

NTLM Usage Scenarios:

  • Authentication to servers using IP addresses instead of hostnames

  • Authentication across firewalls that block Kerberos ports

  • Legacy applications that don't support Kerberos

  • Local authentication on standalone systems

NTLM Authentication Process:

  1. Client sends username to server

  2. Server sends challenge (random string) to client

  3. Client encrypts challenge with password hash and sends response

  4. Server validates response with domain controller

NTLM Security Limitations:

  • No mutual authentication (servers don't prove their identity)

  • Vulnerable to pass-the-hash attacks

  • Susceptible to relay attacks

  • Weaker encryption than Kerberos

Authorization Model

Access Tokens: When users successfully authenticate, Windows creates an access token containing:

  • User SID and group SIDs

  • Privileges assigned to the user

  • Default DACL for objects created by the user

  • Session information

Access Control Lists (ACLs): Every securable object has an ACL containing:

  • Discretionary Access Control List (DACL): Permissions granted or denied

  • System Access Control List (SACL): Auditing settings

Access Control Entries (ACEs): Individual entries in ACLs specifying:

  • Security principal (user, group, computer)

  • Access rights (read, write, full control, etc.)

  • Access type (allow or deny)

  • Inheritance flags

Authorization Process:

  1. User attempts to access resource

  2. System compares user's access token against resource's DACL

  3. System evaluates ACEs in order to determine access

  4. First matching "deny" ACE blocks access

  5. Matching "allow" ACEs grant access

PreviousAD ObjectsNextGroup Policy

Last updated

Was this helpful?