Windows Active Directory

Authentication vs authorization process: An explanation

What you’ll learn:

Active Directory authentication and authorization are security processes. These processes are necessary for any environment so that the resources of an environment are not misused by anyone. In this article, we will take a look at authentication vs authorization in an AD environment, and how AD tackles these processes. Before going further, let’s take a look at the difference between authentication and authorization.

Authentication vs authorization

Authentication and authorization are both security-related processes. However, their functions are different. Authentication deals with the verification of identity. It determines whether a person or a machine is who they say they are.

Authorization on the other hand deals with allowing access to resources for a person or a machine. Authorization determines whether a person or a machine has the permissions necessary to grant them access to certain resources in a network.

What is AD authentication?

The AD authentication system verifies the identity of any user who is trying to log in to the AD network. After successful authentication, the user is allowed to access the AD network’s resources. Active Directory uses the Kerberos protocol for the authentication of its users. The Kerberos authentication protocol succeeds the NTLM protocol. Kerberos authentication is far superior to NTLM authentication because Kerberos uses a stronger encryption format called symmetric key cryptography and the whole authentication process is done by a third independent entity apart from the client and the server that grants a service.

A brief history of Kerberos protocol

Kerberos protocol is a cross-platform authentication protocol. It was initially developed at the Massachusetts Institute of Technology for a project called Athena. Later, Kerberos became the backbone of authentication for Active Directory since the introduction of Windows Server 2003. The protocol derives its name from the Greek mythological character Cerberus, which is a three-headed dog. This is because the Kerberos protocol uses three components for the authentication process.

How AD authentication works using Kerberos

The three components for a Kerberos authentication process to work are:

The KDC has two services, which are:

The KDC service is installed in the domain controller.

Functions of components of Kerberos authentication

Let’s say that John is a client who wants access to a service in server A. Here’s how the three components of Kerberos authentication function to provide AD authentication:

Kerberos User Authentication Process

What is AD authorization?

Active Directory authorization process is used to secure the AD resources from unauthorized access. After a user is authenticated using the AD authentication process, the resources that the user can access are also defined. This definition is done using access control lists (ACL) and access control entries (ACE). Each object in AD has an ACL associated with it that determines the users who can access the object.

Access control lists and access control entries

Access Control Lists (ACLs) are tables, or simple lists, that define the trustees that have access to the object in question, and also what type of access these trustees have. A trustee may be any security principal such as a user account, group account, or a login session. Each ACL has a list of ACEs, and each ACE names a trustee and defines what type of access the trustee has for the object in question.

There are two types of ACLs, which are as follows:

When a user tries to access an object in the AD network, the AD authorization process checks the DACL to see whether the user is mentioned, and if so, whether the user is given permission and what type of permission is given. Only if the user is given permission will the system authorize the user to access the resource. This is how user authorization works in the AD environment.


Access Control List (ACLs) and Access Control Entries (ACEs)

DNS and Active Directory

NTLM authentication and Kerberos Authentication Protocols Explained

Exit mobile version