Skip to content

Latest commit

 

History

History
52 lines (37 loc) · 2.26 KB

authentication-in-active-directory.md

File metadata and controls

52 lines (37 loc) · 2.26 KB

Authentication in Active Directory

Most authentication mechanisms can be broken down into the following:

  • A user who varifies its identity by providing some they have, something they are, something they know, or a combination of these (username, password, and an MFA)
  • A system that accepts user's input and performs verification with data stored corresponding to the user
  • A database that stores user information

We will try to understand the AD authentication/ authorization with regards to above these components

The usual workflow of a user in an AD environment involves accessing a workstation, accessing some service, making some changes, and at last saving the changes. All these require some kind of authentication and/or authorization, and the access is facilitated via different means in AD.

Let us go through various means of authentication/ authorization in an AD

Workstation:

There are two scenarios while a user is attempting to authenticate to a domain-joined workstation with a domain user

  • Online:
    • a workstation is online and the authentication is verified with the AD
    • user inputs credentials into the logon UI
    • Credential Manager accepts the creds
    • Kerberos or NetNTLM are used for authentication
    • creds are checked against the DC
  • Offline:
    • a workstation is offline and the authentication is facilitated by the Cache
    • user inputs the creds in logon UI
    • Credential Manager accepts the creds
    • creds are checked against the LSASS
  • Offline Non-domain authentication
    • a workstation is offline and the authentication is facilitated by Cache
    • user inputs the creds in logon UI
    • Credential Manager accepts the creds
    • creds are checked against the LSASS (Cahced) and then in the SAM (Stored)

LSASS: Local Security Authority Subsystem Service

  • A process running on Windows OS
  • Caches the credentials for the active user sessions and recent logins
  • Verifies the user credentials for recent logins
  • Keeps in check the security policies (can be ignored for now)

SAM: Security Account Manager

  • storage for creds, isn't a cache
  • stores creds for local users accounts
  • stores username and password (hashed)

User, LSASS, offline access, online access, password change

broken down as protocol, user info, database