1

In Active Directory, what connects the KDC's principals to their corresponding LDAP entries? For example, my KC principal might be 

Name[/Instance]@REALM
john/admin@company.com

and my LDAP entry might be:

dn: cn=john,dc=company,dc=com
objectclass: somewhere

but how does Active Directory "connect" the two? SRV records? For example, when I log in (i.e., use Kerberos), how does AD match my Kerberos principal to my LDAP entry?

UPDATE: This MSDN article comes close to answering the question, but doesn't clearly explain the flow: "The Key Distribution Center (KDC) is implemented as a domain service. It uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains.. The KDC for a domain is located on a domain controller, as is the Active Directory for the domain. Both services [ sic? probably meant the 3 services of Kerberos: AS, TGS, and password reset ] are started automatically by the domain controller's Local Security Authority (LSA) and run as part of the LSA's process."

mellow-yellow
  • 431
  • 5
  • 14
  • If I read your question correctly - it's a bit difficult to understand - you are looking for the attribute called UPN (rather than SPN that mentioned by Jacob's answer below) – strongline Nov 20 '17 at 02:45

2 Answers2

2

An ldap attribute called SPN (service provider name) the primary being HOST

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • Any details here? Your answer doesn't explain why, for example, Administrator has no SPNs: C:\Users\Administrator>setspn -L Administrator Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=company,DC=com: C:\Users\Administrator> – mellow-yellow Nov 19 '17 at 00:55
  • 1
    users by default have no services, they are users, they are not workstations to have `host` or mssql servers to have `MSSQL` so they do not have SPNs (by default, a mssql service for example would have them added to delegate permissions), the username is your kerberos identity. type `klist` – Jacob Evans Nov 19 '17 at 03:55
0

If you're more wondering where an AD-joined object is looking to find the realm to authenticate with, yes, it's SRV records.

In the root namespace for the domain, there are _tcp_ldap, _tcp_gc (for the AD Global Catalog LDAP interface) _tcp_kerberos and _tcp_ktpasswd SRV records as service locators for anything using the domain DNS for name resolution. There should be one of each for each DC in the domain. The two Kerberos-related ones have UDP SRVs as well

In addition, there are site-specific SRV records. If the domain is segmented into sites by IP subnets, by default, DCs in that IP range will register the same set of SRVs in a _sitename subzone. If there are no DCs within a site boundary, all of them will register SRVs in that DNS subzone, although that can be altered by GPO. Finally, for Active Directory, there is an _msdcs.[domainFQDN] zone, which has yet another copy of all the above SRVs. This is what Windows clients use first when identifying services.

LeeM
  • 1,218
  • 9
  • 13