Login   Sign Up Contact Us
Hello there!

Need Help? We are right here!
miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Guide for Active Directory (AD) Authentication protocols

What is Active Directory (AD) Authentication?

Active Directory (AD) is a database and a set of services that connects users to the network resources they require to complete their tasks.

The database (or directory) contains critical information about your environment, such as the number of users and computers present, as well as who is authorized to do what. For example, the database could contain 100 user accounts with information such as each person's job title, phone number, and password. It will also keep track of their permissions. The services manage a large portion of the activity in your IT environment. They specifically ensure that each person is who they claim to be (authentication), usually by checking the user ID and password they enter and limiting their access to only the data they are authorized to use (authorization). Active Directory (AD) Authenitcation is a windows system used for centralized management of user roles and permissions. AD contains a group policy feature through which this can be achieved.



How does authentication work in Active Directory (AD)?

AD supports multiple protocols through which authentication of the organization’s users can be done. The two main of these are Kerberos and LDAP.

  • Kerberos: It is a network layer security protocol used to authenticate trusted devices across a network. In AD authentication using Kerberos, once the user signs up to the system using his AD credentials, a session is maintained for the user. The session has multiple attributes and you can set up the session validity time according to the organization’s needs.
    There are three things to Kerberos: the server, the client, and the key distribution center (KDC). Kerberos has two functions- Authentication and ticket-granting. It uses secret key cryptography for authenticating the user’s identities. If the user or client wants to get access to any of the company’s resources, he/she must first authenticate to the KDC. KDC has the authentication server and the ticket-granting server.
    The user sends an authorization request to the AS which issues a ticket-granting ticket (TGT) to the client. The client makes a second authorization call along with the TGT to the ticket-granting server (TGC). The TGS sends a key to the target server and grants a token to the client. The client then calls the target server with the token and the target server authenticates it using the key shared by the TGS. Thus no username or password is shared and still, the user is authenticated.
  • Lightweight directory access protocol (LDAP): LDAP is a protocol used to communicate with any directory services like Active Directory (AD). There are two options available if anyone wants to use the Lightweight directory access protocol (LDAP). Those are simple authentication and simple authentication with a secure layer.

    a.) Simple Authentication: Simple authentication in LDAP relies on the login credentials (username and password) for sending a BIND request to the server for authentication. It has three approaches for achieving it- anonymous authentication, unauthenticated authentication, and name/password authentication.

    b.) Simple authentication with a secure layer: SASL can use other security layer frameworks like Kerberos for authentication. It uses an additional security layer approach for the authentication process and does not depend on the protocols supported by the application.

Advantages of using Active Directory (AD) Authentication

The following are the main advantages of Active Directory Domain Services (AD DS):

  • Centralized resources and security administration - Active Directory (AD) authentication provides a centralised location for administrators to manage and secure network resources and security objects. Active Directory administration can be based on an organisational model, a business model, or the types of functions being administered.
  • Single point of access to global resources - Active Directory (AD) authentication only needs to identify and authenticate the user once. After this process is completed, the user signs on once to access the network resources that he or she is authorised for, based on the roles and privileges assigned to him or her in Active Directory.
  • Simplified resource allocation - By allowing files and print resources to be published on the network, Active Directory (AD) authentication simplifies resource allocation. Users can securely access network resources by searching the Active Directory database for the desired resource after publishing an object.

Active Directory Authentication using miniOrange

miniOrange supports user authentication from external directories such as Active Directory, LDAP, OpenLDAP, and OpenDS, among others. We have directory integration solutions that are simple and easy to use for both cloud and on-premise applications. This on-demand integration service enables user authentication, user provisioning, de-provisioning, and application usage reporting. The fact that miniOrange's directory integration is simple to set up is an important aspect of this service. MiniOrange also supports thousands of applications and provides an Single Sign-on (SSO) mechanism for users in the integrated directory.

WorkFlow

Active Directory(AD) Authentication

  • User sends the request to access the resource from an application.
  • The Application sends an authentication request to miniOrange.
  • The miniOrange forwards the authentication request to Active Directory.
  • Active Directory sends the response to the application through miniOrange. This response contains the user’s information as well as the authentication status, based on which the user is given access to the resource.
  • Upon successful authentication, the user is given access to the resource.

To set up Active Directory (AD) Authentication, you can follow the steps here.


Authentication in Active Directory entails more than just the verification of a username and password. miniOrange AD authentication includes the following components:

Self-service password reset

The first component of AD authentication service that we provide at miniorange is Self-service password reset which allows users to change or reset their passwords without the involvement of an administrator or help desk. If a user forgets his password, the miniOrange solution can be used to generate a new one for him.

  • Password change - when a user knows their password but wants to change it to something new.
  • Password reset - when a user can't sign in, such as when they forgot their password, and want to reset their password. There are various ways available to reset a password :
    • Password reset via the link sent to the registered email address.
    • A link will be sent to the registered phone number to change the password.
    • User have to perform some sort of authentication like answering the already configured Security Questions in order to change the password.
  • When a user uses self-service password reset to update or reset their password, that password is also written back to an Active Directory environment. Password writeback ensures that a user's updated credentials are immediately usable with on-premises devices and applications.

AD Multi-Factor Authentication

The second component of the AD authentication service that we provide at minorange is MFA. MFA (Multi-Factor Authentication) is a type of authentication in which a user must provide additional multi-factors in order to gain access to specific resources. In this context, resources refer to a website, an application, a network, or a VPN.

Rather than simply asking for a username and password, MFA (Multi-Factor authentication) adds additional verification factors (OTP, push notifications, fingerprint, etc. 15+ MFA methods) that indirectly halt cyber attackers' activities such as phishing, Malware, and so on, providing a high level of assurance and security. Simply put, you must convince the system or online service of your identity multiple times before the system can determine whether you have the rights to obtain the data services that you are attempting to retrieve.

Active Directory(AD) Authentication

The goal of using MFA is to create a layered defence so that even if one factor (username-password) is stolen or a targeted cyber attacker has at least one more barrier to overcome before successfully breaking into the actual targeted device.

Passwordless authentication

One of the most amazing components of the AD authentication service that miniorange will provide you is password-less authentication. Users can log in without having to remember a password using passwordless connections. To login to the application, users simply enter their username and pass the 2-factor authentication by entering an OTP or receiving push notifications. This provides people with a simple and convenient way to sign in and access data from anywhere.

Passwords are also a major vulnerability because users reuse passwords and can share them with others. An attacker cannot easily replicate 2-factor authentication methods. miniOrange provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.

Further References



Want To Schedule A Demo?

Request a Demo
  


Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More