United States - English

Australia - English

Belgium & Luxembourg - English

Latin America - Español

Netherlands - Dutch

New Zealand - English

Russia - Росси́я

Scandinavia - English

South East Asia - English

Spain - Español

United Kingdom - English

Integration and Identity Management Technologies Glossary		Home > Integration and Identity Management Technologies Glossary > Active Directory		Print Page		Request a Quote		Email Page

Overview

Security Glossary

Active Directory

The Active Directory service is a core component of the Microsoft Windows operating system. It provides a directory service supporting the Lightweight Directory Access Protocol (LDAP), and a Kerberos KDC to authenticate users. It allows organizations to share and manage information about network resources and users and provides a Single Sign-On environment that integrates with the standard Windows desktop login. In addition, it acts as a single point of management for Windows-based user accounts, clients, servers, and applications.

The directory is arranged hierarchically, allowing division of enterprise resources into different domains. Each resource (i.e., user, application), is represented as an object with a number of attributes (for example, the organizational group to which the resource belongs). The directory may be browsed hierarchically for resources, or each resource can be individually addressed by proving its Distinguished Name. The Distinguished Name is simply a group of attributes that uniquely identify an object within the Active Directory hierarchy.

The directory also provides fine-grained security mechanisms to allow administrators to determine exactly what information may be accessed. Users can be restricted to specific objects, or even specific attributes within the directory.

The main benefits of using Active Directory are that it simplifies the management of user accounts, and provides a Single Sign-On infrastructure to users. Its support for standard protocols such as LDAP and Kerberos mean that it can be used as, or with, a cross-platform solution. The Kerberos support in Active Directory has been tested to ensure interoperability with the MIT Kerberos implementation used by many Unix vendors. However, it is worth noting some differences between the Microsoft and MIT implementations.

Support for Privilege Attribute Certificates (PACs)

Microsoft's Kerberos implementation uses the Authorization Data field of the Kerberos ticket to pass Privilege Attribute Certificates (PACs) to Kerberized applications. Applications that support Microsoft's PAC format can use this information to provide fine-grained access control to services.

Integration with LDAP

Active Directory's Kerberos features are tightly integrated with its LDAP server. This means that user information such as groups can be retrieved using standard tools and APIs.

Windows Native Credential Cache

Unlike the MIT implementation, the Windows Kerberos implementation uses an in-memory credential cache to store Kerberos tickets and TGTs (the MIT implementation uses a disk file). The implementation is stored in non-paged memory so it is never written to disk. Microsoft provides routines to obtain credentials from this cache through their Local Security Authority API (LSA API).

Smart Card/PKI Support

Microsoft supports a version of the PKINIT protocol which allows the initial authentication to the directory to be performed using a private key or smart card.