Active Directory Authentication

Active Directory Authentication

August 22, 2021 Active Directory 0

Kerberos V5 is an authentication protocol for network.  It is built to offer strong authentication for server/client applications by using secret-key cryptography. It’s the default authentication protocol on Windows versions above W2k, replacing the NTLM authentication protocol.

A client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client’s password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client’s identity.

The TGT, which expires at a specified time, permits the client to obtain additional tickets, which give permission for specific services. The requesting and granting of these additional tickets is user-transparent.

1 – A user login to the client machine. The client does a plaintext request (TGT). The message contains: (ID of the user; ID of the requested service (TGT); The Client Net address (IP); validation lifetime)

2 – The Authentication Server will check if the user exists in the KDC database.
If the user is found, it will randomly generate a key (session key) for use between the user and the Ticket Granting Server (TGS).
The Authentication Server will then send two messages back to the client:
– One is encrypted with the TGS secret key.
– One is encrypted with the Client secret key.

The TGS Session Key is the shared key between the client and the TGS.
The Client secret key is the hash of the user credentials (username+password).

3 – The client decrypts the key and can logon, caching it locally. It also stores the encrypted TGT in his cache.
When accessing a network resource, the client sends a request to the TGS with the resource name he wants to access, the user ID/timestamp and the cached TGT.

4 – The TGS decrypts the user information and provides a service ticket and a service session key for accessing the service and sends it back to the Client once encrypted.

5 – The client sends the request to the server (encrypted with the service ticket and the session-key)

6 – The server decrypts the request and if its genuine, it provides service access


NTLM is an authentication protocol. It was the default protocol used in old windows versions, but it’s still used today

1 – A user accesses a client computer and provides a domain name, user name, and a password.
The client computes a cryptographic hash of the password and discards the actual password. The client sends the user name to the server (in plaintext).

2 – The server generates a 16-byte random number, called a challenge, and sends it back to the client.

3 – The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the response.

4 – The server sends the following three items to the domain controller:
– User Name
– Challenge sent to the client
– Response received from the client

5 – The domain controller uses the user name to retrieve the hash of the user’s password. It compares the encrypted challenge with the response by the client (in step 4). If they are identical, authentication is successful, and the domain controller notifies the server.

6 – The server then sends the appropriated response back to the client.

 1,018 total views,  1 views today

Leave a Reply

Your email address will not be published. Required fields are marked *