Authentication. It sounds easy enough, in principle: You have a system, a procedure which anyone that tries to gain access to it has to follow, and a set of checks to ensure that recognized users are actually who they claim to be. But every system has its individual quirks – commercial operating systems, especially.

Users of Windows 8.1, Windows Server 2012 R2, Windows Server 2012, and Microsoft networking in general have a particular set of mechanisms and procedures to follow – and these systems form a significant proportion of the enterprise networks in use today. So in this article we’ll be looking at some basic principles and best practices for performing and managing Windows Authentication.

Authentication Basics

In the context of a computer network, authentication is the process used to prove the identity of an application or resource. This typically involves a cryptographic operation employing an encryption key exclusive to the user (as in the case of a public key), or one that’s shared. A server will compare the signed and submitted data with a known cryptographic key, in order to validate the authentication attempt.

There are a number of authentication techniques available to choose from. These include the simple logon procedure based on a code or pattern possessed only by the user – such as a password, PIN, or barcode. More complex procedures might include physical and virtual objects or attributes which the user possesses, such as a public key certificate, digital token, or biometric information like a fingerprint or retinal scan.

Storing Identity Information

The cryptographic keys and databases of unique identifiers must be stored in a safe and centralized location, to ensure that the authentication system can be scaled up or down as required, and remains easy to manage and maintain. For networked environments, Active Directory Domain Services is the default technology for storing identity information and cryptographic keys.

Default Protocols

A default set of authentication protocols ships with the Windows operating system, as part of an expandable architecture. Some of these protocols may be combined into authentication packages like Negotiate, or the Credential Security Support Provider. The various protocols and packages cover the authentication of network users, computer systems, and services.

Windows Authentication verifies that information submitted by a person, application, or computer is coming from a trusted source. There are several mechanisms provided for achieving this objective.

NTLM

Windows NT LAN Manager (reduced to the acronym NTLM) provides a suite of security protocols for authentication, confidentiality, and integrity checking. NTLM supersedes the authentication protocols used in the older Microsoft LAN Manager (or LANMAN) system.

NTLM is an authentication protocol of the “challenge-response” type. It allows Windows Authentication to extend to legacy applications, and requires the Active Directory in order to run on the Microsoft platform.

As well as authentication, NTLM provides options for session security. Signing and sealing functions within NTLM can allow message integrity and confidentiality checks to be performed.

Kerberos

Before the release of Windows 2000 Server, Microsoft exclusively used NTLM for authentication. The more efficient and secure Kerberos protocol – which is also more compatible with Unix and other operating environments – was adopted for authentication in Windows 2000, and other Microsoft networking systems going forward.

Microsoft Windows Server systems deploy the Kerberos version 5 authentication protocol and extensions for public key authentication. The Kerberos authentication client behaves as a security support provider (SSP), which may be accessed through the Security Support Provider Interface (SSPI).

In a Kerberos authentication, information is sent to a server running the Authentication Service, each time a user inputs their login credentials. The Authentication Service relays this information to a database known as the Key Distribution Center (KDC).

A Ticket Granting Ticket (TGT) is issued to the client if their credentials (username and password, etc.) are certified as valid – with an associated time stamp, public key, and certificate to enable the user to complete the logon process. The TGT may then be presented to the Ticket Granting Service, with the user’s request for a session ticket to access a network resource.

For Windows Authentication, all Kerberos-related services are held by each domain controller – which are known collectively as the KDC (Key Distribution Center). This actually runs as the Kerberos Key Distribution Center service, on each domain controller or DC.

To find a domain controller which is also the KDC, a client must use the DC Locator process. This requires a DNS server to locate an appropriate DC, then transmit that information back to the client. The client or user passes their credentials to the domain controller, which grants a TGT whose access rights can be checked by the relevant server. A session ticket may be issued immediately, if the server to be accessed is in the DC’s domain.

Kerberos also requires DCs in a domain to be authenticated, in order for certain processes such as replication to be carried out.

TLS/SSL

Transport Layer Security / Secure Sockets Layer (TLS/SSL) – which are the prevailing secure protocols for data transmission via the internet – are implemented for Windows Authentication through the Secure Channel or Schannel Security Support Provider. A client-server model is adopted for all mechanisms under the Secure Channel (Schannel) provider authentication protocol suite.

All the authentication protocols here are based on public key cryptography, and include TLS versions 1.0, 1.1, and 1.2, SSL versions 2.0 and 3.0, Datagram Transport Layer Security protocol version 1.0, and the Private Communications Transport (PCT) protocol, version 1.0.

Multi-factor Authentication

For business purposes, users and services on a network may be required to access multiple applications or resources, on various types of servers, across multiple locations, or within a single site. Authentication procedures must be flexible and varied enough to support a number of physical and virtual conditions, and allow for compatibility with other operating systems or different Windows versions.

Because of this, many enterprises are implementing multi-factor authentication, adding smart cards, digital tokens, and biometric identification techniques to the Windows Authentication mix.

Managing Credentials

The Microsoft platform provides a Secure Desktop for local or domain access, which may be used for the gathering of credentials via websites or apps. This is a credential management system which makes it possible to ensure that the proper credentials are presented each time a network resource is accessed.

Integrated Windows Authentication (or IWA) is a feature which enhances the protection and handling of credentials when network connections are being authenticated. It also enables contemporary authentication protections to be extended to legacy systems.

Group Policy & Server Manager

Group Policy (which may be installed using Server Manager) allows for the configuration and fine-tuning of many Windows Authentication features. The Windows Biometric Framework feature may also be installed via Server Manager, which acts as the source for installing other components such as Active Directory Domain Services and Web Server (IIS).

Windows 10 & Server 16 Issues

Configuring authentication methods for Windows 10 and Windows Server 16 involves some variants on the techniques used in previous versions of these operating systems. Microsoft has published an online guide, with step-by-step instructions on some of these aspects.