Tuesday, December 18, 2012

Understanding Authentication Protocols

Authentication - It is a process of allowing or denying user access to network.

Network Authentication Protocols
NTLM  - NT Lan Manager

The above two protocols are commonly used in networks to authenticate users against the domain controller.

NT Lan Manager -- Is the authentication mechanism introduced in Windows NT. It is higher version of LM (Lan Manager), It uses a challenge response algorithm.
Whenever client request access to server or any resource then client sends username to server, the server generates and sends a challenge to the client;
then client encrypts that challenge using the user's password and sends response to the server. If the user is a local server then server validates response against
Security Account Manager, if the user is a domain user then server forward response to domain controller to validate and retrieve group policy of that user account,
and construct access token and establish session. In this methodology everytime client needs to validate to access network resources hence there will be load.

There are three heads of kerberos KDC (key distribution center), AS (Authentication Service) and TGS (Ticket Granting System).  The KDC installed as a part of domain controller.
It uses a ticket based approach. When a client computer requests access to a server or resources on it requests a TGT(Ticket Grant Ticket) from the AS in users domain.
While in process of authentication a ticket is issued to client from domain controller, once it received the ticket then client can get access the resources (if TGT is presents on the server)
on the network with out having authenticated again or we can call it as single-sign-on. It is a time bases the tickets can expire certain time. In order to use kerberos both the client and server must be on same domain. It requires registered SPN (Service Principal Name) are unique identifiers for services running on servers.

No comments: