User Authentication and User Authorization
Active Directory user authentication confirms the identity of any user trying to log on to a domain. After confirming the identity of the user, he is allowed access to resources.
A key feature of this is the single sign-on capability. This requires the user to provide his credentials only once and access multiple services. The authentication process is done using Kerberos protocol. Kerberos protocol consists of three key components:
- Key Distribution Center (KDC),
- The client and
- The target server with the desired service to access.
The KDC is installed as part of the domain controller and it performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). The Authentication Service issues the Ticket Granting Ticket (TGT) after confirming the identity of the user. This ticket is in turn used to obtain the service ticket for the target server. Using the service ticket granted, the user can access the resources on the server. The process is shown in figure 3.
Active Directory user authorization secures resources from unauthorized access. After user authentication process, the type of access actually granted is determined by what user rights are assigned to the user and what permissions are attached to the objects the user wishes to access. Each object has Access Control Lists associated with it.
- DACL- The Discretionary Access Control List (DACL) specifies a list of user accounts, groups that are allowed or denied access to a particular object.
- SACL- The System Access Control List (SACL) defines operations such as read, write or delete that should be audited for a user or group.
Each list is made up of Access control entries that list the permissions allowed or denied for a user or a group. Each time a user logs on, an access token is created for the user. The access token consists of Individual SID, Group SID and User rights.
- Individual Security Identifier uniquely identifies the logged on user.
- The group SID identifies the group to which the user belongs to.
- User rights are assigned to both individual users and groups. They include privileges such as backing up of files or directories and logon rights.
When a user requests for an access to a particular object, the individual SID and group SID in the access token is compared against the DACL entries to see if the user is explicitly denied access. Then it checks if the requested access can be specifically permitted. These steps are repeated until a No access is encountered or sufficient information is collected to grant access to the resource.
Related Articles
How to list all user accounts in the domain using Powershell
Active Directory (AD) is the backbone of user authentication and authorization in Windows environments. Managing user accounts within AD is a critical task for system administrators. PowerShell, with its robust capabilities, offers an efficient way ...Active Directory User objects
A user object in AD is used to represent a real user in an organizational network environment. Say for example Joshua is a new employee in my organization, and I need to allow him accesses to various resources of the organization. All I have to do to ...Active Directory User
With AD environments made up of fundamental entities called objects, user accounts serve as the interface between the AD environment and people. This video dwells in-depth about AD Users' object, its most important attributes, and the purpose of ...Active Directory Objects List
Objects are the fulcrum of Active Directory. The ease of an organization’s resource management comes from the fact that objects give AD a modular structure. Introduction The individual components of an organization’s network are called objects in ...Active Directory User properties – Profile tab
The profile tab of the user properties window allows you to configure user profile, logon scripts and home folder details for the user object. It is very useful when you have to allow your user access the same environment and data irrespective of the ...