How does authentication and authoriztion happens in active directory?
Everything starts when User presses Ctrl+Alt+Del and User chooses to log on to the domain.
1. The client Kerberos package acting on behalf of User tries to locate a KDC service for the domain; it does so by querying the DNS service (Windows 2000 and Windows Server 2003 publish two Kerberos-specific SRV records to DNS: _kerberos and _kpasswd. The list of all published SRV records can be found on a domain controller in the "%windir%system32/config/netlogon.dns" file. The SRV DNS records are created automatically during the domain controller setup, as part of the dcpromo process).
2. Once the DC is found, User sends a Kerberos authentication request to the DC. This request authenticates User to the DC and contains a TGT request (KRB_AS_REQ).
3. The Authentication Service authenticates User, generates a TGT, and sends it back to the client (KRB_AS_REP).
Local logon process in a single domain environment.
4. The local machine where User logged on is -- just like any other resource -- a resource for which User needs a ticket. User sends a ticket request to the DC using her TGT (together with an authenticator) (KRB_TGS_REQ).
5. The TGS of the DC checks the TGT and the authenticator, generates a ticket for the local machine, and sends it back to the User (KRB_TGS_REP).
6. On User’s machine, the ticket is presented to the Local Security Authority, which will create an access token for the User. From then on, any process acting on behalf of User can access the local machine's resources.
1. The client Kerberos package acting on behalf of User tries to locate a KDC service for the domain; it does so by querying the DNS service (Windows 2000 and Windows Server 2003 publish two Kerberos-specific SRV records to DNS: _kerberos and _kpasswd. The list of all published SRV records can be found on a domain controller in the "%windir%system32/config/netlogon.dns" file. The SRV DNS records are created automatically during the domain controller setup, as part of the dcpromo process).
2. Once the DC is found, User sends a Kerberos authentication request to the DC. This request authenticates User to the DC and contains a TGT request (KRB_AS_REQ).
3. The Authentication Service authenticates User, generates a TGT, and sends it back to the client (KRB_AS_REP).
Local logon process in a single domain environment.
4. The local machine where User logged on is -- just like any other resource -- a resource for which User needs a ticket. User sends a ticket request to the DC using her TGT (together with an authenticator) (KRB_TGS_REQ).
5. The TGS of the DC checks the TGT and the authenticator, generates a ticket for the local machine, and sends it back to the User (KRB_TGS_REP).
6. On User’s machine, the ticket is presented to the Local Security Authority, which will create an access token for the User. From then on, any process acting on behalf of User can access the local machine's resources.
0 comments:
Post a Comment