Authentication services commonly use protocols to ensure that unencrypted credentials are not sent across a network. This protects user credentials and provides additional security for identity and access services. If you’re planning to take the SY0-501 exam, you should have a basic understanding of installing and configuring identity and access services.
For example, can you answer this practice test question?
Q. A network includes a ticket-granting ticket server used for authentication. Which authentication service does this network use?
A. Shibboleth
B. SAML
C. LDAP
D. Kerberos
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Kerberos
Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. It was originally developed at MIT (the Massachusetts Institute of Technology) for Unix systems and later released as a request for comments (RFC). Kerberos provides mutual authentication that can help prevent man-in-the- middle attacks and uses tickets to help prevent replay attacks.
Kerberos includes several requirements for it to work properly. They are:
• A method of issuing tickets used for authentication. The Key Distribution Center (KDC) uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC (or TGT server) packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens, but they are logical tokens, not a key fob type of token.
• Time synchronization. Kerberos version 5 requires all systems to be synchronized and within five minutes of each other. The clock that provides the time synchronization is used to timestamp tickets, ensuring they expire correctly. This helps prevent replay attacks. In a replay attack, a third party attempts to impersonate a client after intercepting data captured in a session. However, if an attacker intercepts a ticket, the timestamp limits the amount of time an attacker can use the ticket.
• A database of subjects or users. In a Microsoft environment, this is Active Directory, but it could be any database of users.
When a user logs on with Kerberos, the KDC issues the user a ticket-granting ticket, which typically has a lifetime of 10 hours to be useful for a single workday. When the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource. However, the ticket expires if users stay logged on for an extended period, such as longer than 10 hours. This prevents them from accessing network resources. In this case, users may be prompted to provide a password to renew the ticket-granting ticket, or they might need to log off and back on to generate a new ticket-granting ticket.
LDAP and LDAPS
Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. LDAP is an extension of the X.500 standard that Novell and early Microsoft Exchange Server versions used extensively.
Windows domains use Active Directory, which is based on LDAP. Active Directory is a directory of objects (such as users, computers, and groups), and it provides a single location for object management. Queries to Active Directory use the LDAP format. Similarly, Unix realms use LDAP to identify objects.
Administrators often use LDAP in scripts, but they need to have a basic understanding of how to identify objects. For example, a user named Homer in the Users container within the GetCertifiedGetAhead.com domain is identified with the following LDAP string: LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com
• CN=Homer. CN is short for common name.
• CN=Users. CN is sometimes referred to as container in this context.
• DC=GetCertifiedGetAhead. DC is short for domain component.
• DC=com. This is the second domain component in the domain name.
LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a Transport Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission.
SSO and Transitive Trusts
A transitive trust creates an indirect trust relationship. As an example, imagine a transitive trust relationship exists between Homer, Moe, and Fat Tony:
• Homer trusts Moe.
• Moe trusts Fat Tony.
• Because of the transitive trust relationship, Homer trusts Fat Tony.
Of course, this isn’t always true with people and Homer might be a little upset with Moe if Moe shares Homer’s secrets with Fat Tony. However, it reduces network administration in a domain.
Within an LDAP-based network, domains use transitive trusts for SSO. The figure shows a common configuration with three domains in the same network. The parent domain is GetCertifiedGetAhead.com and the configuration includes two child domains—Training and Blogs.
An LDAP transitive trust used for SSO
In this example, there is a two-way trust between the parent domain (GetCertifiedGetAhead.com) and the child domain (Training.GetCertifiedGetAhead.com). The parent trusts the child, and the child trusts the parent. Similarly, there is a two-way trust between the parent domain and the Blogs child domain. There isn’t a direct trust between the two child domains. However, the transitive relationship creates a two-way trust between them.
All of these domains contain objects, such as users, computers, and groups. Homer’s user account is in the Training domain, and a server named Costington is in the Blogs domain. With the transitive trust, it’s possible to grant Homer access to the Costington server without creating another trust relationship directly between the Training and Blogs domains.
Without a trust relationship, you’d have to create another account for Homer in the Blogs domain before you could grant him access. Additionally, Homer would need to manage the second account’s password separately. However, with the transitive trust relationships, the network supports SSO, so Homer only needs a single account.
Q. A network includes a ticket-granting ticket server used for authentication. Which authentication service does this network use?
A. Shibboleth
B. SAML
C. LDAP
D. Kerberos
Answer is D. Kerberos uses a ticket-granting ticket (TGT) server, which creates tickets for authentication.
Shibboleth is a federated identity solution used in some single sign-on (SSO) solutions.
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for some SSO solutions.
Lightweight Directory Access Protocol (LDAP) is an X.500- based authentication service used to identify objects.
See Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on authentication services.