There are multiple authentication methods which AD uses but here we will only learn about two methods which are Kerberos and NTLM.
Many protocols over internet do not provide security to applications or attacker able to sniff the traffic and client server architecture depends on clients and their identity. Some application use WAF, network firewall to secure applications behind them but somehow they can also be bypassed.
Therefore, to overcome these security problems we use NTLM, Kerberos.
NTLM /Windows New Technology LAN Manager:
It is a default authentication protocol in windows 4.0. It uses a challenge-response mechanism for authentication. Without sending password client has to prove his identifications.
Between client and server three ways, communication happens:
a. NTLM Negotiate Message: Sent From client to server and shows all supported options on server for NTLM.
b. NTLM Challenge
Note: It supported until windows 2000.
a. User/client connects to server for authentication through IP Address.
b. Whenever user/client connects to server by hostname but that hostname has not registered on DNS server i.e. integrated with AD server.
Client or computer calculates cryptographic hash from user’s password known as NTLM hash.
1. Whenever clients connects to it , client provides it username to it.
2. On basis of that username server generates a random value (16 byte) or nonce known as NTLM Challenge.
3. Now client encrypts that random value with its password and gets an NTLM hash and send it to the server.
4. Then server forwards the challenge, nonce/NTLM hash and username to DC. DC fetch the user’s password from database and encrypt the challenge using it.
5. Now finally DC compares encrypted challenge and authentication (response from client to server). If both two are equal, user got authorization.
As compare to NTLM, it uses strong cryptography to prove users identity. It is created by MIT and freely available there. It helps to secure users information across the entire network.
Network protocol for authenticating client and server applications by using secret key cryptography. For functioning properly, Kerberos uses DC in the role of key distribution center/KDC and maintains authentication server services.
When a user wants to use the services which requires authentication
1. From workstation request send to DC i.e. AS-REQ, contain time stamp. That time stamp is encrypted by hash derived from user’s password and username.
2. Now DC saw request associated with the particular user. Then DC attempts to decrypt the timestamp and check how many time stamp entries he received. Therefore, if time stamp is unique and decryption of it is successful then authentication is considered successful and DC return AS-REP to the client. This AS-REP has a session token, as Kerberos is stateless and a Ticket Granting Ticket (TGT).
TGT contain information about user, in which group he is involved, domain, time stamp when he attempt to login, IP address of client and session key.
i. Session key also encrypted by user’s password and can be decrypted by user and he can reuse it again.
ii. TGT is also encrypted by a secret key known only to DC and cannot be decrypted by client.
By default, TGT valid for 10 hours and in that duration user does not require to re authenticate himself.
3. Now if user wants to access other resources of same domain so again he has to contact the DC that term known as TGS_REQ, it contain following parameters.
i. Registered service principal name (SPN) of other resource checking whether it exists or not?
ii. TGT, which is decrypted by DC secret key.
iii. Session key extracted from TGT that is used for decrypting username and time stamp.
On basis of request parameter DC perform some validation. These are given below :
i. TGT must have a valid timestamp.
ii. User name of TGE-REQ must match username of TGT.
iii. Client IP address must match with TGT IP address.
When all three conditions match then ticket granting service responds to the client with TGS_REP and this contain following:
i. The SPN Name for which access was granted.
ii. Session key that is used between client and the SPN.
iii. TGS_REP, ticket that include username and group membership along with newly created session key.
Note: Here SPN and session key are encrypted by the session key which is generated at TGT time and TGS_REP is encrypted with password hash of registered service account in SPN.
Once all three steps are done in KDC and client has both the session key and service ticket, authentication starts.
4/5. The application server now decrypts the service ticket using the password hash of service account and extracts the username and the session key.
Username from AP_REQ == username from service ticket
Then application server will accept the request and try to assign appropriate permissions.
6. This steps happens when both User workstation and Authentication server both wants to communicate is mutual, this step is optional.
7. PAC/ Privileged Attribute Certificate: It contain information about user’s privileges’ and this information is added to TGT by DC. Needed when user wants to authenticate other systems from their Kerberos ticket. This is very sensitive file and on the top, it is optional part in authentication process.
8. As PAC request is optional so its response is also an optional part. To understand Kerberos is little tough but it is designed to mitigate attacks and save user’s from stealing the credentials.
Difference b/w Kerberos and NTLM:
For authentication, initially Microsoft used NTLM and later move towards Kerberos because Kerberos uses strong verification and encryption capability. NTLM system can be hacked in couple of hours so it is not safe to use but in some places like Windows Vista, Windows Server 2003, Windows Server 2003 R2 and Windows XP Microsoft still using NTLM.
1. It provide slow authentication as compare to Kerberos.
2. It does not have any mutual authentication option.
3. It uses Microsoft authentication protocol.
4. It does not have any smart card logon option.
1. It use ticketing system due which authentication is faster.
2. It has mutual authentication but optional.
3. It uses Open standard.
4. It has smart card logon option.