📚 Active Directory: the basics

Authentication: NTLM and Kerberos

📄 Article

In this lesson, I will briefly present the two authentication methods available in an Active Directory environment.

In an Active Directory environment, there are two methods of identification:

Table of Content

NTLM

NTLM (NT Lan Manager) is the oldest authentication protocol, which emerged in the 1980s. Today the protocol is at its version 2 (NTLM v2).

NTLM uses a Challenge <-> Response mechanism to authenticate the user.

With each authentication, a hash of the user’s password is transmitted multiple times over the network.

NTLM is still used for historical reasons because some applications do not support Kerberos or when accessing, for example, a network share via the server’s IP address.

Overview of NTLM authentication:

NTLM authentication scheme
  1. The user logs in to a computer on the domain with their username and password.
  2. The user wishes to access a share, so they send their identifier to the server.
  3. The server generates a hash (challenge) which it sends to the requester.
  4. The user responds to the server by sending their encrypted password with the hash (response).
  5. The server sends the username, encrypted password, and hash to the domain controller.
  6. The domain controller verifies the user’s identity
  7. The domain controller notifies the server to indicate that the user is properly authenticated.

Kerberos

Kerberos is a more advanced authentication system based on a key system (KDC) distributed by domain controllers.

Kerberos has the advantage of not transmitting the password at each authentication.

Summary of an authentication with Kerberos:

  1. The user logs in with a username/password pair on a computer in the domain.
  2. Sending an authentication request or TGT request (Ticket Granting Ticket) to the Key Domain Controller (KDC). This is called KRB_AS_REQ.
  3. The response is called KRB_AS_REPThe domain controller returns to the user a session key and the TGT which contains several pieces of information:
    • User name
    • Validity period
    • CAP (Privilege Attribute Certificate) which will contain information about the customer such as the groups he/she belongs to.
  4. The user wants to access the file server, so they send a ticket request to the KDC to access the service. This request is called KRB_TGS_REQ (Ticket-Granting Service).
  5. The KDC returns a ticket to the user so they can access the service on the server. The ticket contains several pieces of information about the user and the service. The response is called KRB_TGS_REP.
  6. The user sends the request to the file server, providing the ticket for the request to the service. This request is called KRB_AP_REQThe server will verify the user’s identity.
  7. The server may respond to the client with KRP_AP_REP so that the client can identify the server.

Kerberos is in charge of authentication; access permissions (NTFS rights, group membership, etc.) are checked later by the server where the service is hosted.