LDAP, NTLM, and Kerberos are all authentication protocols used to secure access to directory services.
#########################################################################################################################
LDAP protocol
#############
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or a corporate intranet.
It is fair to say that LDAP has become a popular program. It served as the foundation on which Microsoft built Active Directory, and has been instrumental in the development of today’s cloud-based directories (also known as Directories-as-a-Service).
LDAP sends messages between servers and client applications which can include everything from client requests to data formatting.
On a functional level, LDAP works by binding an LDAP user to an LDAP server. The client sends an operation request that asks for a particular set of information, such as user login credentials or other organizational data.
The LDAP server then processes the query based on its internal language, communicates with directory services if needed, and responds. When the client receives the response, it unbinds from the server and processes the data accordingly.
Purpose: LDAP is a protocol used for accessing and maintaining distributed directory information services over an IP network.
It is used to query and modify items in directory service databases like user details, group membership, and other information stored in a directory database.
Usage: Commonly used in managing user information in directories like Microsoft Active Directory, OpenLDAP, etc.
Security: LDAP itself doesn't provide strong security features but can be used over SSL/TLS (LDAPS) for encrypted connections.
LDAP is a protocol designed for efficiently accessing and retrieving information stored within directory services.
It has a primitive authentication mechanism called “simple bind” that applications can use to verify credentials if they can’t handle other authentication protocols.
It gets tricky because LDAP also includes an extensible authentication framework called SASL that allows alternate authentication protocols to be added 123.
#########################################################################################################################
Kerberos
#########
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
Here are the most basic steps taken to authenticate in a Kerberized environment.
Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC).
The KDC verifies the credentials and sends back an encrypted TGT and session key.
Client requests to access an application on a server. A ticket request for the application server gets sent to the KDC which consists of the client’s TGT and an authenticator.
The KDC returns a ticket and a session key to the user.
The ticket is sent to the application server. Once the ticket and authenticator have been received, the server can authenticate the client.
The server replies to the client with another authenticator. On receiving this authenticator, the client can authenticate the server.
Kerberos is a complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client.
It is more secure than NTLM, but it can be a bit challenging to set up properly. Kerberos is the authentication protocol that is used in Windows 2000 and above,
whereas NTLM was used in Windows Server NT 4 and below. Kerberos has two key advantages that make it worth consideration: better security and faster authentication.
It also supports mutual authentication, authentication delegation, and the smart card logon feature 1
Purpose: Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.
Usage: It is widely used in various types of networks, including mixed Windows and Unix/Linux environments. Microsoft Active Directory uses Kerberos as its default authentication method.
Security: Kerberos is more secure than NTLM. It uses time-stamped tickets to provide mutual authentication and is less susceptible to interception and replay attacks.
In summary, LDAP is primarily for accessing and managing directory services, NTLM is an older authentication protocol used in Windows environments, and Kerberos is a more secure, modern authentication protocol used across various platforms.
#########################################################################################################################
Oauth 2
########
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean.
Here is a description of the basic steps in the authorization process:
Application requests authorization for access service resources from the user.
If that user approves then the application receives an authorization grant.
Application requests an access token from the authorization server (API). This is done by presenting its identity and the authorization grant.
If the application identity is authenticated and the authorization grant is valid, the API issues an access token to the application. Authorization is complete.
The application requests the resource from the API and presents the access token for authentication.
If the access token is valid, the API serves the resource to the application.
#########################################################################################################################
SAML
####
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
JumpCloud is one of the best Single Sign-On (SSO) providers which supports SAML authentication protocols. JumpCloud’s SSO provides SAML integrations with 700 popular business applications (including Kisi) and automated user lifecycle management features like Just-in-Time (JIT) provisioning and SCIM provisioning/deprovisioning.
Here is a description of the typical steps in the authentication process:
User accesses remote application using a link on an intranet or similar and the application loads.
Application identifies user’s origin (by application subdomain, user IP address, or similar). It redirects the user back to the identity provider, asking for authentication.
User either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
Identity provider builds authentication response in the form of an XML-document containing user’s username or email address. This is then signed using an X.509 certificate and then posted to the service provider.
Service provider (which already knows the identity provider and has a certificate fingerprint) retrieves authentication response and validates it using certificate fingerprint.
The identity of the user is established, and the user is provided with app access.
#########################################################################################################################
RADIUS
######
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.
RADIUS authentication begins when the user requests access to a network resource through the Remote Access Server (RAS). The user enters a username and a password, which are encrypted by the RADIUS server before being sent through the authentication process.
Then the RADIUS server checks the accuracy of the information by employing authentication schemes to verify the data. This is done by comparing the user-provided information against a locally stored database or referring to external sources such as Active Directory servers.
The RADIUS server will then respond by accepting, challenging or rejecting the user. Individual users may be granted restricted access without affecting other users. In the case of a challenge, the RADIUS server requests additional information from the user to verify their user ID - which may be a PIN or a secondary password. In the case of a reject, the user is unconditionally denied all access to the RADIUS protocol.
#########################################################################################################################
NTLM (NT LAN Manager):
######################
NTLM is an older challenge-response authentication mechanism that is still used as a backup to Kerberos authentication being down.
It is the well-known and loved authentication mechanism, using NTLM means that you really have no special configuration issues. As Microsoft likes to say, “It just works.” 123.
Purpose: NTLM is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. It is a challenge-response authentication protocol used in Windows environments.
Usage: Often used in network authentication for Windows systems, especially in older environments or systems that do not support more secure protocols.
Security: NTLM is less secure compared to modern authentication protocols. It is vulnerable to various types of attacks, like relay attacks, and is often replaced by more secure mechanisms in newer systems.
Kerberos:
#########################################################################################################################