Ping a Specific Port

Question

mellow-yellow

Asked: 2017-11-18 17:12:50 +0800 CST2017-11-18 17:12:50 +0800 CST 2017-11-18 17:12:50 +0800 CST

Active Directory: What connects the KDC's principals to LDAP entries?

772

In Active Directory, what connects the KDC's principals to their corresponding LDAP entries? For example, my KC principal might be

Name[/Instance]@REALM
john/[email protected]

and my LDAP entry might be:

dn: cn=john,dc=company,dc=com
objectclass: somewhere

but how does Active Directory "connect" the two? SRV records? For example, when I log in (i.e., use Kerberos), how does AD match my Kerberos principal to my LDAP entry?

UPDATE: This MSDN article comes close to answering the question, but doesn't clearly explain the flow: "The Key Distribution Center (KDC) is implemented as a domain service. It uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains.. The KDC for a domain is located on a domain controller, as is the Active Directory for the domain. Both services [ sic? probably meant the 3 services of Kerberos: AS, TGS, and password reset ] are started automatically by the domain controller's Local Security Authority (LSA) and run as part of the LSA's process."

2 Answers

Voted

Jacob Evans · Answer 1 · 2017-11-18T19:03:38+08:00

Jacob Evans

2017-11-18T19:03:38+08:002017-11-18T19:03:38+08:00

An ldap attribute called SPN (service provider name) the primary being HOST

2

LeeM · Answer 2 · 2020-12-01T21:00:17+08:00

LeeM

2020-12-01T21:00:17+08:002020-12-01T21:00:17+08:00

If you're more wondering where an AD-joined object is looking to find the realm to authenticate with, yes, it's SRV records.

In the root namespace for the domain, there are _tcp_ldap, _tcp_gc (for the AD Global Catalog LDAP interface) _tcp_kerberos and _tcp_ktpasswd SRV records as service locators for anything using the domain DNS for name resolution. There should be one of each for each DC in the domain. The two Kerberos-related ones have UDP SRVs as well

In addition, there are site-specific SRV records. If the domain is segmented into sites by IP subnets, by default, DCs in that IP range will register the same set of SRVs in a _sitename subzone. If there are no DCs within a site boundary, all of them will register SRVs in that DNS subzone, although that can be altered by GPO. Finally, for Active Directory, there is an _msdcs.[domainFQDN] zone, which has yet another copy of all the above SRVs. This is what Windows clients use first when identifying services.

0

Active Directory: What connects the KDC's principals to LDAP entries?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?