Introduction
In an Active Directory Domain users are verified by providing a username and password. This process of verifying the user is called authentication. Once the user’s username and password have been verified they are granted access to resources on the network that they have been granted to. One of the problems that occur with using a network that requires a username and password is if not implemented correctly the password is sent over the network in plain text. Even though when typing in a password and all asterisks show up, when you hit enter it may be traveling over the network in plain text. So if someone was to capture this traffic going over the network they could obtain your username and password.
Active Directory Authentication fortunately provides authentication, integrity and confidentiality. So what this means is when you enter in your password and hit enter, the Microsoft authentication protocol will provide a mechanism for hashing the information that is sent across the network. As Active Directory has matured over the years and has their authentication protocols.
Below I will discuss the authentication protocol that Active Directory uses to authenticate client on the network.
NTLM (NT Lan Manger) Authentication protocol
In windows NT 4.0 the NTLM protocol was the default authentication protocol. It remained in Windows 2000 for compatibility with down level clients and servers (such as Windows 98). NTLM is also used for authenticating standalone computers that are not part of the domain. For computers that are part of the Domain they will authenticate to servers using NTLM when accessing resources on the network.
In a Active Directory network NTLM is a suite of protocols that provides authentication, integrity and confidentially to clients. NTML is a challenge response authentication protocol, which uses three messages to authenticate a client. If desired there is a fourth message to authenticate. The first step in authentication is the client sends a NEGOTIATE_MESSAGE to the server. The server then responds with a CHALLENGE_MESSAGE which is used to establish the identity of the client. The last step is the clients responds to the challenge with a AUTHENTICATE_MESSAGE.
The NTLM protocol can use one or both of two hashed password values, both of these values are stored on the domain controller. The hashed values are password equivalent, meaning that if these values were captured from the server, you could authenticate without knowing the actual password. The two hashes are LM hash (a DES based function applied to the first 14 characters of the password) and the NT Hash (a MD4 hash). Both hash values are 16 bytes (128 bits) each.
Some application still requires the use of NTLM authentication. It is recommend to use a more secure protocol such as Kerberos for authenticating clients or applications. NTLM does not support any recent cryptographic methods and if your infrastructure can support it I would recommend using a different authentication protocol.
NTLMv2
NTLMv2 was introduced in Windows NT 4.0 SP4 as a replacement for the less secure NTLM. NTLMv2 implements 128bit encrypted keys and provides for a method to eliminate LANMAN hashes for NT clients. NTLMv2 uses HMAC-MD5 hash for the server challenge, and a randomly generated client challenge. The user’s password also uses the HMAC-MD5 hash. The two responses of the client challenge differ in their format. The shorter response uses an 8 byte random value for its challenge. For the response to be verified the server will need to receive as part of the response the client challenge. This shorter response, the 8 byte client challenge is appended to the 16 byte response which makes for a 24 byte package.
Kerberos Network Authentication Protocol
Kerberos is an authentication protocol that allows clients to send authentication requests over a non secure network in a secure manner. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos uses a secret key cryptography to provide clients a mechanism for secure authentication. Kerberos not only provides authentication but can also provide encryption between the client and server to ensure data integrity, Kerberos is a trusted third party service, referred to as a key distribution center (KDC). The (KDC) consists of two logically separate parts, an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos is a ticketing based process which helps provide the identity of the clients. The KDC maintains a database consisting of secret keys. Clients on the network whether a workstation or server, has a secret key known only to itself and the KDC server (Active Directory). This method provides are mechanism for prove of a client’s identity. When the client and KDC server communicate a session key is generated which provides secure their interactions.
Mutual Authentication
Mutual Authenticate is a process in which a client (server or workstation) must prove its identity to a server (Domain Controller) and the server must prove its identity to the client. This process must complete successfully before any application traffic is sent between the two. Mutual authentication is provided by the security support provider interface (SSPI).
Summary
This article provides you with a brief description of the authentication protocols used when authenticating clients in an Active Directory Domain. When possible its best to use the latest most secure protocol available. In some environments an older protocol is still used because of older infrastructure or applications dependencies.
Filed under: TUTORIALS Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
