Windows Active Directory

User authentication and user authorization process: An explanation

What you’ll learn:

Active Directory authentication and authorization are security processes. These processes are necessary in any environment so that the resources of an environment are not misused by anyone. In this article, we will take a look at what is authentication and authorization in an AD environment, and how AD tackles these process. Before going further, let’s take a look at the difference between authentication and authorization.

Authentication vs authorization

Authentication and authorization are both security related processes. However, their functions are different. Authentication deals with the verification of an identity. It determines whether a person or a machine is who they say they are.

Authorization on the other hand deals with allowing access to resources for a person or a machine. Authorization determines whether a person or a machine has the permissions necessary to grant them access to certain resources in a network.

What is AD authentication?

The AD authentication system verifies the identity of any user who is trying to login to the AD network. After successful authentication, the user is allowed to access the AD network’s resources. Active Directory uses the Kerberos protocol for authentication of its users. The Kerberos authentication protocol succeeds the NTLM protocol. Kerberos authentication is far superior to NTLM authentication because Kerberos uses a stronger encryption format called symmetric key cryptography and the whole authentication process is done by a third independent entity apart from the client and the server that grants a service.

Brief history of Kerberos protocol

Kerberos protocol is a cross-platform authentication protocol. It was initially developed at the Massachusetts Institute of Technology for a project called Athena. Later, Kerberos became the backbone of authentication for Active Directory since the introduction Windows Server 2003. The protocol derives its name from the Greek mythological character Cerberus, which is a three-headed dog. This is because Kerberos protocol uses three components for the authentication process.

How AD authentication works using Kerberos

The three components for a Kerberos authentication process to work are:

The KDC has two services, which are:

The KDC service is installed in the domain controller.

Let’s say that John is a client who wants access to a service in server A. Here’s how the three components of Kerberos authentication function to provide AD authentication:

Kerberos Authentication Process Flow explaining the user authorization process in Active Directory
Kerberos Authentication Process Flow

What is AD authorization?

AD authorization process is used to secure the AD resources from unauthorized access. After a user is authenticated using the AD authentication process, the resources that the user can access are also defined. This definition is done using access control lists (ACL) and access control entries (ACE). Each object in AD has an ACL associated with it that determines the users who can access the object.

Access control lists and access control entries

ACLs are tables, or simple lists, that define the trustees that have access to the object in question, and also what type of access these trustees have. A trustee may be any security principal such as user account, group account, or a logon session. Each ACL has a list of ACEs, and each ACE names a trustee and defines what type of access the trustee has for the object in question.

Authenticating and Authorizing Objects in AD

There are two types of ACLs, which are as follows:

When a user tries to access an object in the AD network, the AD authorization process checks the DACL to see whether the user is mentioned, and if so, whether the user is given permission and what type of permission is given. Only if the user is given permission will the system authorize the user to access the resource. This is how user authorization works in the AD environment.

The SACL is used to track an object’s security based on how a user or group accesses the object. For example, you can audit whether a user was able to access the object using particular permission (such as Read, Write, or Full Control). Information about what to audit is kept in ACEs, which are stored within the SACL. These entries control what is audited, and contain information about the events to be logged. In doing this, records can be kept on the security of objects, and whether specific users or groups are able to successfully access them.

A DACL is a listing of ACEs for users and groups and includes information about the permissions that a user or group has to a file. The DACL controls whether a user is granted or denied access to an object. ACEs in the DACL explicitly identify individual users and groups, and the permissions granted to each. Because only users and groups identified in the DACL can access an object in Active Directory, any user or group that isn’t specified is denied access.

Active Directory places the permissions you can apply to objects into two categories: standard permissions and special permissions. Standard permissions are those that are commonly applied to objects, whereas special permissions provide additional access control.

Exit mobile version