What is Active Directory?

Active Directory (AD) is a centralized directory service developed by Microsoft for managing users, computers, and permissions in Windows networks.

Kerberos Authentication

Kerberos is the primary authentication protocol in Active Directory. It uses a ticket-based system instead of sending passwords over the network.

How Does It Work?

Client   ──AS-REQ──>  KDC
Client   <─AS-REP──   TGT (encrypted with krbtgt key)
Client   ──TGS-REQ─>  KDC
Client   <─TGS-REP─   TGS (service ticket)
Client   ──────────>  Service (using TGS)

# View current tickets
klist

# Request a service ticket
kinit -S cifs/fileserver.corp.local user@CORP.LOCAL

Key point: TGT is valid for 10 hours by default. If stolen, it can be used until expiry.

NTLM Authentication

NTLM is an older protocol still used when connecting to machines outside the domain or via direct IP.

Challenge-Response Flow

Client   ──NEGOTIATE──>  Server
Client   <─CHALLENGE──   nonce (random value)
Client   ──RESPONSE──>   Hash(nonce + password)

# Check authentication protocol used
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} |
  Select-Object -First 5

Key difference: NTLM is weaker than Kerberos — it doesn’t support Mutual Authentication.

Kerberos Authentication#

How Does It Work?#

NTLM Authentication#

Challenge-Response Flow#

Kerberos Authentication

How Does It Work?

NTLM Authentication

Challenge-Response Flow