Active Directory user authentication confirms the identity of any user trying to log on to a domain. After confirming the identity of the user, he is allowed access to resources.
A key feature of this is the single sign-on capability. This requires the user to provide his credentials only once and access multiple services. The authentication process is done using Kerberos protocol. Kerberos protocol consists of three key components:
- Key Distribution Center (KDC),
- The client and
- The target server with the desired service to access.
The KDC is installed as part of the domain controller and it performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). The Authentication Service issues the Ticket Granting Ticket (TGT) after confirming the identity of the user. This ticket is in turn used to obtain the service ticket for the target server. Using the service ticket granted, the user can access the resources on the server. The process is shown in figure 3.
Active Directory user authorization secures resources from unauthorized access. After user authentication process, the type of access actually granted is determined by what user rights are assigned to the user and what permissions are attached to the objects the user wishes to access. Each object has Access Control Lists associated with it.
- DACL- The Discretionary Access Control List (DACL) specifies a list of user accounts, groups that are allowed or denied access to a particular object.
- SACL- The System Access Control List (SACL) defines operations such as read, write or delete that should be audited for a user or group.
Each list is made up of Access control entries that list the permissions allowed or denied for a user or a group. Each time a user logs on, an access token is created for the user. The access token consists of Individual SID, Group SID and User rights.
- Individual Security Identifier uniquely identifies the logged on user.
- The group SID identifies the group to which the user belongs to.
- User rights are assigned to both individual users and groups. They include privileges such as backing up of files or directories and logon rights.
When a user requests for an access to a particular object, the individual SID and group SID in the access token is compared against the DACL entries to see if the user is explicitly denied access. Then it checks if the requested access can be specifically permitted. These steps are repeated until a No access is encountered or sufficient information is collected to grant access to the resource.