Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

What is Kerberos?

Kerberos is a network authentication protocol which uses symmetric key cryptography to provide authentication services to client-server applications. It is a ticket based protocol and requires a trusted third party known as the key distribution center (KDC) to operate. Initially developed by Massachusetts Institute of Technology (MIT) for Project Athena, Kerberos is now used as the default authentication protocol in Windows 2000 and all the later versions.

What is LDAP?

The Lightweight Directory Access Protocol (LDAP), introduced in the year 1993, is a core protocol that eventually paved the way for Microsoft's Active Directory and Open LDAP. It is an open and cross-platform protocol used to maintain distributed directory information in an organized and easy-to-access manner. LDAP also serves as a directory services authentication protocol by providing a common language that applications can use to communicate with servers of other directory services.

Difference between Kerberos and NTLM

While Kerberos is a ticket-based authentication protocol for trusted hosts on untrusted networks, Lightweight Directory Access Protocol (LDAP) is an authentication protocol for accessing server resources over an internet or intranet.

How Kerberos works?

Kerberos is a ticket based authentication protocol. The principal entities involved in Kerberos protocol are:
  • Client - The client acts on behalf of the user and initiates the request.
  • Server - The server hosts the services that the user wants to access.
  • Authentication Server (AS) - This server performs client authentication and issues the client a Ticket Granting Ticket (TGT) if authentication is successful.
  • Ticket Granting Server (TGS) - This is an application server that issues service tickets.
  • Database (db) - The authentication server verifies access rights of users in the database.
  • Key Distribution Center (KDC) - The KDC provides authentication and ticket granting services. The AS, TGS and db are a part of KDC.

Step-by-step explanation of Kerberos protocol:

  • A user attempts to join the network through the client’s interactive logon screen.
  • The client constructs a package called an authenticator which has information about the client (username, date, and time). Except for the username, all the other information contained in the authenticator is encrypted with the user’s password.
  • The client then sends the encrypted authenticator to the KDC.
  • The KDC immediately knows the identity of the client that has sent the authenticator by looking at the username. The KDC will then look into its AD database for the user’s password, which is a shared secret. It then decrypts the authenticator with the password. If the KDC is able to decrypt the authenticator, it means that the identity of the client is verified.
  • Once the identity of the client is verified, the KDC creates a ticket granting ticket (TGT), which is encrypted using a key that only the KDC knows.
  • The KDC sends the TGT to the client. The client stores the TGT in its Kerberos tray. It can use this ticket whenever it needs to access a resource on a server on the network (within a typical time limit of eight hours).
  • When the client needs to access another server, it sends the TGT to the KDC along with a request to access the resource.
  • The KDC decrypts the TGT with its key. This step verifies if the client has previously authenticated itself to the KDC.
  • The KDC generates a ticket for the client to access the shared resource. This ticket is encrypted by the server’s key. The KDC then sends this ticket to the client.
  • The client saves this ticket in its Kerberos tray, and sends a copy of it to the server.
  • The server uses its own password to decrypt the ticket, if the server successfully decrypts the ticket, it knows that the ticket is legitimate.
  • The server will then determine whether the client has the necessary permission to access the resource by looking through the access control list (ACL).

How LDAP authentication works?

LDAP authentication follows a client-server model. The client is a system or application requesting access to information in an LDAP database, while the server is an LDAP server. The LDAP authentication process can be divided into two steps as follows:

Step-by-step explanation of LDAP protocol:

Step 1 - Username Resolution

To authenticate a username, the user's distinguished name (DN) is required. The DN is a sequence of relative domain names (RDN) connected by commas (,).

For example, here's how a user named Clara's DN looks. The DN resembles a path starting with the Active Directory root.

CN=Clara Holt, OU=Users, DC=ADAuditPlus, DC=COM

Given the length and various attributes that are included in the DN, it is difficult for a user to remember it when providing the credentials for authentication. So instead of the DN, the client collects the user's username or email address and performs a DN resolution, which is analogous to a DNS resolution when you're looking up a website's IP address.

The username or email address is run against a database of all user entries until an exact match turns up. The directory attributes to search for are specified in the searchFilter configuration parameter.

ldapAuth.dnResolution.searchFilter = (|(uid=%u)(mail=%u)) %u is replaced with the user identifiers collected in the login form.
A couple of requisites for effective DN resolution:
  • Always ensure users have unique usernames and email addresses. If more than one entry share the same identifier, authentication will fail.
  • Ensure that all identifying attributes present in the login form are defined in the schema. For example, if a user's email address is not defined in the database, the resolution cannot be performed and authentication will fail.
Step 2 - User's password validation

LDAP authentication uses a bind command to authenticate users and give them the required access. To validate the password, the DN of the user and the password provided by the user are scanned. This password provided by the user is checked against the value stored in the schema attribute named userPassword.

  • The bind operation works even for passwords values that have been hashed or encrypted.
  • Again, as in the previous step, for successful authentication, the userPassword attribute must have a defined value.

Simplify Kerberos and LDAP auditing and reporting with ADAudit Plus

Get your free trial

Fully functional 30-day trial

ADAudit Plus is a comprehensive Active Directory auditing solution that will help you monitor, and audit local logon and logoffs by domain users. It can also track other critical events that can lead to network disruptions.

ADAudit Plus simplifies Kerberos activity tracking by offering you predefined Logon Activity report along with intuitive graphical representation of the same for the ease of comprehension. It also provides you the option to generate custom reports and export them in your preferred format (.pdf, .xls, .html and .csv).

Monitoring LDAP servers is necessary to ensure service availability and performance. By tracking the LDAP queries processed, IT administrators can detect suspicious queries that may be used to perform reconnaissance on the Active Directory environment, and curb attacks. ADAudit Plus simplifies LDAP monitoring by offering predefined LDAP Auditing reports

Once ADAudit Plus has been installed, it can automatically configure audit policies required for Active Directory auditing. To enable automatic configuration:
Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

Steps to track Kerberos authentication using ADAudit Plus

  • Login to ADAudit Plus.
  • Select the required Domain from the dropdown list.
  • Go to the Reports tab.
  • Navigate to Local Logon-Logoff.
  • Select the Logon Activity report, look for the Authentication Package column.

Steps to track LDAP events using ADAudit Plus

  • Login to ADAudit Plus.
  • Select the required Domain from the dropdown list.
  • Go to the Server Audit tab.
  • Navigate to LDAP Auditing.
  • Select the desired report from the ones listed under LDAP Auditing.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, and reports Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. It comes bundled with more than 200 predefined reports that make AD auditing easier. The solution also sends real-time alerts for critical events and helps you to secure your network from threats and boosts your IT security posture. Check out the capabilities of ADAudit Plus here.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote