How does AD authentication work?

Learning how the AD authentication mechanism works is crucial to understand how network security and access controls are maintained in a Windows environment. This process involves numerous steps to ensure that the identity of the users and devices are verified before they are given access to the network resources.

Kerberos and LDAP authentication protocols form the crux of AD authentication. These protocols play an important role in verifying the credentials and managing access permissions. At the grass-root level, AD authentication works by verifying credentials against the information stored in the AD server and utilizing these protocols to facilitate the secure transmission of data between the end user and the AD server. These protocols are further explained in depth below.

Kerberos protocol

The Kerberos protocol comprises the server, the client, and the key distribution center (KDC). The KDC itself comprises two servers, authentication server (AS) and ticket granting server (TGS).

Kerberos protocol serves two functions: granting tickets (the process of issuing tokens that prove the identity of a user or service for granting access to resources in a network) and authentication. If a user would like to gain access to the organization's resources, they would have to get authenticated from the KDC first.

AD authentication using the Kerberos protocol occurs in three phases:

1. When a user attempts to log in with their known user credentials, the client sends an encrypted request to the AS for issuing a token known as ticket granting ticket (TGT). Upon receiving this request, the AS decrypts the request using a secret key that it shares with the client, derived from the user's stored credentials. After decrypting this request, the AS issues a TGT encrypted with the user's password.
2. The client sends this TGT to the TGS to get a service ticket.
3. The client uses this service ticket to request access from the target server (application layer) that checks the validity of the service ticket using a key shared with the TGS. If valid, the target server allows the client to access the resources for a particular duration (session). The validity of the session can be tweaked according to the organizational policies.

Kerberos protocol relies on time sync between the client and the server. This makes it susceptible to replay attacks if the time set in the client and the server are not in sync with each other. An attacker that is able to gain rogue access to the KDC, can issue fake tickets and obtain access to resources.

LDAP protocol

LDAP is an open source, cross platform protocol used to communicate with various directory services such as AD. AD utilizes LDAP for both intra directory communication and to connect with applications outside the network. Authentication using the LDAP protocol can be achieved either by using simple authentication or simple authentication with a secure layer (SASL).

In simple authentication, the credentials entered by the user are used to raise a bind request to the server for authentication. This is just one of the ways by which authentication is performed in simple authentication. In addition, it also supports unauthenticated and anonymous authentication requests to the organizational resources.

On the other hand, SASL works in tandem with other security protocols such as Kerberos for authentication. SASL is more secure as the second security protocol serves as an additional layer during the authentication process. The highlight of SASL is that the authentication process is not dependent on the protocols supported by the application. Due to this, any security flaw in the application protocols is less likely to affect the authentication process.

The data packets transmitted during the authentication process are unencrypted. This makes authentication using LDAP vulnerable to man-in-the-middle (MitM) and eavesdropping attacks. To make security concerns even worse, MFA methods are not supported by the LDAP protocol.

Reinforce Active Directory authentication with adaptive MFA

ManageEngine ADSelfService Plus offers adaptive MFA with 20 different authentication factors, including passcode authentication. MFA can be deployed to enhance security across a variety of applications and systems, whether on-premises or in the cloud. This includes securing endpoints, such as applications, machines, VPNs, OWA, and self-service password management tasks. Using ADSelfService Plus, administrators can customize the MFA process based on users' organizational unit and group memberships. This flexibility allows you to enable passcode authentication for non-privileged users and systems when quick access is of priority. You can enable higher assurance authenticators for tighter security measures, particularly for privileged accounts, helping to mitigate the risks posed by cyberthreats.