본문 바로가기
2011.10.16 03:25

Kerberos vs LDAP

조회 수 5500 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://forums.techarena.in/active-directory/1170562.htm


AD 2008 has the same LDAP features as AD 2003, so migrating either AD or
Windows server should not matter here.

LDAP is primarily a directory access protocol. Kerberos is an
authentication protocol. They do different things. LDAP has a primitive
authentication mechanism called "simple bind" that applications can use to
verify credentials if they can't handle other authentication protocols.

It gets tricky because LDAP also includes an extensible authentication
framework called SASL that allows alternate authentication protocols to be
added. AD supports GSS-API (Kerberos), GSS-SPNEGO (Windows negotiate
authentication which selects between Kerberos and NTLM), Digest and External
(for client cert auth). Thus, if the client understands any of those SASL
mechanisms, it can actually use that for the authentication. As such,
Kerberos may be used by an application during an LDAP bind operation if the
client understands this.

In fact, scripts that use GetObject("LDAP://....") actually use GSS-SPNEGO
authentication using the current user's credentials to authenticate to the
directory and will use Kerberos when possible.

The bottom line here is that nothing important has really changed here, so
apps that required LDAP before should still be able to use LDAP. It is
probably worth understanding why an app would need LDAP for auth, especially
if other options are available. Another thing to consider is that if an app
uses LDAP simple bind, the password is passed in plaintext on the network
and is not secure without SSL which is not deployed on domain controllers by
default. Beware!

Microsoft recommends against using LDAP for authentication purposes, however
there are cases where it is the only practical approach and it is supported.

Interactive login to the workstation or authentication peformed for RPC and
such NEVER uses LDAP. They always use negotiate authentication which
attempts to use Kerberos whenever possible.

Joe K.


Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
30 How to enable LAN Routing on Windows Server 2008 R2 file Hojung 2014.04.15 2598
29 Windows 2003 IAS를 이용한 스위치 및 무선 AP 802.1x RADIUS 인증 file Hojung 2013.04.15 4783
28 파티션 얼라이먼트와 디스크 성능 향상 (Partition Alignment) Hojung 2013.04.11 4743
27 Creating LAB users with a Powershell Script Hojung 2013.03.28 3588
26 Disable Password Requirements in Windows Server 2003 file Hojung 2013.03.28 3389
25 How to delete a windows service Hojung 2012.12.19 3527
24 How To Change Security Settings In Internet Explorer in Windows SRV 2008 file Hojung 2012.12.19 3007
23 Verify DNS registration for domain controllers using the nslookup command Hojung 2012.07.26 3620
22 Windows 2003에 RADIUS 인증 서버 설치 file Hojung 2012.02.04 8605
21 How to remove AD in windows 2003 Hojung 2012.01.23 4148
20 Changing Internet Explorer Security Settings on Windows Server 2008 Hojung 2011.11.24 4624
19 Windows 2008 암호정책 변경방법 Hojung 2011.11.19 6049
18 Disable Password Requirements in Windows Server 2003 Domains file Hojung 2011.11.19 5426
17 Finding your base DN in Active Directory Hojung 2011.11.03 5670
» Kerberos vs LDAP Hojung 2011.10.16 5500
15 Kerberos and LDAP in AD - 2 Hojung 2011.10.16 6593
14 Kerberos and LDAP in AD - 1 Hojung 2011.10.16 5267
13 윈도우 msc 실행명령어 모음 Hojung 2011.10.16 7944
12 Windows SRV 조직단위 및 사용자계정 - 2 Hojung 2011.10.16 5899
11 Windows SRV 조직단위 및 사용자계정 Hojung 2011.10.16 6265
Board Pagination ‹ Prev 1 2 Next ›
/ 2

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5