1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Active Directory single sign-on

Discussion in 'Active Directory Exams' started by lifeisshortmove, Jun 25, 2011.

  1. lifeisshortmove

    lifeisshortmove Bit Poster

    42
    0
    19
    I have a problem understanding the steps in AD single sign-on procedure. As far as I know, Single sign-on means a domain user ONLY enters his/her user name and password once when he/she logs into the system and he/she doesn't need to enter it again to access any network resource such as a shared folder on a file server or a shared printer...etc.

    That's what I know so far, when a DC boots up its netlogon service registers SRV records in DNS. When a client computer boots up it gets its IP address, subnet mask, Default Gateway, IP of DNS server either from DHCP or statically. When a user tries to log into the domain, first it needs to locate the DC and that is done by contacting the DNS server to get the IP address of the DC it should log into. After that kerberos encrypts the username and password and sends them to the DC to check it against its database. Now the question is how a user access network resources in AD domain without entering user name and password again.
    Does the DC get in the process of authentication and authorization again?
     
  2. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Expect others can give a better explanation but its all based on Kerberos, which is a Ticket Granting System.

    The authentication token is exchanged for a ticket, over time there can be many tickets, extra tickets can be created either to provide access to remote resources or to extend the current session.

    The username and password security token is normally hashed, hasing is an example of a one-way-function, its not really encryption because decryption is not really possible.

    There are various advantages/disadvantages to this system. Advantages include extra security because password only sent once, tickets have limited lifetime, signing provides non-repudiation etc. Disadvantages include possible single point of failure from KDC/TGS and all system clocks must be synchronized for ticket timestamps to work.
     
    Last edited: Jun 25, 2011
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  3. lifeisshortmove

    lifeisshortmove Bit Poster

    42
    0
    19
    I know that a DC TGS (Ticket Granting Service) generates a TGT (Ticket Granting Ticket) for the user that logs into the domain. The client computer retains that TGT. When it tries to access a shared folder on a server, what happens exactly???
    Does it contact the DC again and check its TGT or the file server has a way or another to check its Ticket weather it's expired or not?
     
  4. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Based on this :-
    Kerberos Explained

    I'd say the client gets a service ticket from the TGS then sends it to the Service Server, which then grants access to the resource.

    In some situations the Service Server may contact the TGS to get further access to other resources, using impersonation/delegation.
     
    Last edited: Jun 25, 2011
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH

Share This Page

Loading...