0

Windows Active Directory is based on Kerberos and LDAP. When authenticating via the Domain Controller, how does my endpoint know that it's really speaking to the DC?

Likewise, AD can be used to authenticate for services hosted on other machines (e.g. SQL Server). How does the SQL Server know that the DC is the real DC?

SRobertJames
  • 245
  • 1
  • 7
  • Via the [Domain Controller Locator Process](https://blogs.technet.microsoft.com/arnaud_jumelet/2010/07/11/domain-controller-locator-in-depth/). – user2320464 Jul 30 '17 at 19:06
  • The Domain Controller Locator Process let's you _find_ the DC, not authenticate it. – SRobertJames Jul 31 '17 at 03:23
  • The system is already domain joined, so it knows the DC to authenticate against by using the aforementioned process. Beyond that dig into how Kerberos and NTLM authentication work. Your question is vague, so providing more detail or including an example would help. – user2320464 Jul 31 '17 at 14:03

2 Answers2

2

The DC is not authenticated as a DC, but otherwise as part of the kerberos authentication mechanism both sides require a shared secret (your password). The ephemeral encryption key used to encrypt the as-rep (which has the tgt) in transit is passed using that shared secret. So assuming someone has your password (and your machine account password if you are using windows) he can spoof a dc. Notice that if you want to access any external service the DC needs to know what is the shared secret for that service, so essentially it's being verified on the fact that it needs prior knowledge of everyone's password.

Jonathan Allon
  • 721
  • 3
  • 14
0

I believe this is done through kerberos authentication tickets against the host and the dc in question. First step would be to authenticate to the DC provided that the host has been joined to the domain. For additional info take a look at the Domain Controller Locator Process: https://technet.microsoft.com/en-us/library/cc978011.aspx

TSE
  • 1
  • 1