Active Directory single sign-on

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have a problem understanding the steps in AD single sign-on procedure. As far as I know, Single sign-on means a domain user ONLY enters his/her user name and password once when he/she logs into the system and he/she doesn't need to enter it again to access any network resource such as a shared folder on a file server or a shared printer...etc.

That's what I know so far, when a DC boots up its netlogon service registers SRV records in DNS. When a client computer boots up it gets its IP address, subnet mask, Default Gateway, IP of DNS server either from DHCP or statically. When a user tries to log into the domain, first it needs to locate the DC and that is done by contacting the DNS server to get the IP address of the DC it should log into. After that kerberos encrypts the username and password and sends them to the DC to check it against its database. Now the question is how a user access network resources in AD domain without entering user name and password again.
Does the DC get in the process of authentication and authorization again?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Expect others can give a better explanation but its all based on Kerberos, which is a Ticket Granting System.

The authentication token is exchanged for a ticket, over time there can be many tickets, extra tickets can be created either to provide access to remote resources or to extend the current session.

The username and password security token is normally hashed, hasing is an example of a one-way-function, its not really encryption because decryption is not really possible.

There are various advantages/disadvantages to this system. Advantages include extra security because password only sent once, tickets have limited lifetime, signing provides non-repudiation etc. Disadvantages include possible single point of failure from KDC/TGS and all system clocks must be synchronized for ticket timestamps to work.

 

I know that a DC TGS (Ticket Granting Service) generates a TGT (Ticket Granting Ticket) for the user that logs into the domain. The client computer retains that TGT. When it tries to access a shared folder on a server, what happens exactly???
Does it contact the DC again and check its TGT or the file server has a way or another to check its Ticket weather it's expired or not?

 

Based on this :-
Kerberos Explained

I'd say the client gets a service ticket from the TGS then sends it to the Service Server, which then grants access to the resource.

In some situations the Service Server may contact the TGS to get further access to other resources, using impersonation/delegation.