0
I know that by default Active Directory used the Kerberos protocol for authentication. I've heard that by default LDAP is used by Active Directory for authorization. However, I am unable to find any sources that state this or any sources that state what protocol Active Directory uses for authorization.
Euretta Wilson
Posted 2017-11-10T19:26:00.010
Reputation: 111
0
I think the LDAP claim is incorrect. I am not aware of any specific protocol for authorization, it works like this:
Active Directory user authorization secures resources from unauthorized access. After user authentication process, the type of access actually granted is determined by what user rights are assigned to the user and what permissions are attached to the objects the user wishes to access. Each object has Access Control Lists associated with it.
DACL- The Discretionary Access Control List (DACL) specifies a list of user accounts, groups that are allowed or denied access to a particular object.
SACL- The System Access Control List (SACL) defines operations such as read, write or delete that should be audited for a user or group.
Each list is made up of Access control entries that list the permissions allowed or denied for a user or a group. Each time a user logs on, an access token is created for the user. The access token consists of Individual SID, Group SID and User rights.
When a user requests for an access to a particular object, the individual SID and group SID in the access token is compared against the DACL entries to see if the user is explicitly denied access. Then it checks if the requested access can be specifically permitted. These steps are repeated until a No access is encountered or sufficient information is collected to grant access to the resource.
TomEus
Posted 2017-11-10T19:26:00.010
Reputation: 3 355
Authorization of what precisely? System logins? I believe the authorization data for that is attached as a "PAC" to Kerberos tickets. – user1686 – 2017-11-10T22:28:16.633