Download Microsoft Exam Notes and more Cheat Sheet Information Technology in PDF only on Docsity!
A directory service stores, organizes, and provides access in a directory. Directory services are used for locating, managing, administering, and organizing common items and network resources, such as volumes, folders, files, printers, users, groups, devices, telephone numbers, and other objects. One popular directory service used by many organizations is Microsoft Active Directory. Active Directory Domain Services (AD DS) is the Microsoft directory service that does the following:
- Stores information about the identities of users, computers, and services
- Provides authentication for users and computers
- Provides authorization for users and computers to access network resources The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying data using directory services running over TCP/IP. Within the directory, the sets of objects are organized in a logical hierarchical manner so that you can easily find and manage them. Kerberos is a computer network authentication protocol, which allows hosts to prove their identity over a nonsecure network in a secure manner. It can also provide mutual authentica- tion so that both the user and server verify each other’s identity. For security reasons, Kerberos
protocol messages are protected against eavesdropping and replay attacks. Single Sign‐On (SSO) allows you to log on once and access multiple related but independent software systems without having to log on again. The logical components (which administrators create, organize, and manage) include:
- Organizational units (OUs): Containers in a domain that allow you to organize and group resources for easier administration, including providing and delegating administrative rights.
- Domains: Administrative boundaries for users and computers that are stored in a common directory database. The logical components (which administrators create, organize, and manage) include:
- Organizational units (OUs): Containers in a domain that allow you to organize and group resources for easier administration, including providing and delegating administrative rights.
- Domains: Administrative boundaries for users and computers that are stored in a common directory database.
- Domain trees: Collections of domains that are grouped together in hierarchical struc- tures and that share a common root domain. A domain tree could have a single domain or many domains.
- Forests: Collections of domain trees that share a common AD DS. A forest can contain one or more domain trees or domains, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two‐ way transitive trust relationships. The schema of Active Directory defines the format of each object and the attributes or fields within each object. The physical components that make up Active Directory include the following:
- Domain controllers: The servers that contain the Active Directory databases. A domain
partition stores only the information about objects located in that domain. All domain
controllers in a domain receive changes and replicate those changes to the domain par- tition stored on all other domain controllers in the domain. As a result, all domain con- trollers are peers in the domain and manage replication as a unit.
- Site: A group of IP subnets that are connected at high speed. After you have promoted a computer to a domain controller, you can use several MMC snap‐ in consoles to manage Active Directory. These consoles are as follows:
- Active Directory Users and Computers: Used to manage users, groups, computers, and organizational units (see Figure 1‐1)
- Active Directory Domains and Trusts: Used to administer domain trusts, domain and forest functional levels, and User Principal Name (UPN) suffixes
- Active Directory Sites and Services: Used to administer replication of directory data among all sites in an Active Directory Domain Services (AD DS) forest
- Active Directory Administrative Center: Used to administer and publish information
in the directory, including managing users, groups, computers, domains, domain con- trollers, and organizational units
- Group Policy Management Console (GPMC): Used to provide a single administrative tool for managing Group Policy across the enterprise
- ADSI Edit: Used to view and edit Active Directory attributes through the Active Directory Services Interfaces (ADSI) protocol After you create an Active Directory design, you need to think about the actual deployment process. As with most major network technologies, installing AD DS on a test network first, before you put it into actual production, is a good idea. The Global Catalog (GC) and Read only domain controller (RODC) options are grayed out because the first domain controller in a new forest must be a global catalog server; it cannot be a read‐only domain controller. In Windows Server 2016, you can now install Active Directory Domain Services on a computer running the Server Core installation option and promote the system to a domain controller, all by using Windows PowerShell. For AD DS installations on Server Core, Windows PowerShell is now the preferred method. As with the wizard‐based installation, the PowerShell procedure occurs in two phases: First, you must install the Active Directory Domain Services role; then, you must promote the server to a domain controller.
creation process by skipping the defragmentation. When you execute these commands, the Ntdsutil.exe program creates a snapshot of the AD DS database, mounts it as a volume to defragment it, and then saves it to the specified folder, along with a copy of the Windows registry Introducing a Windows Server 2016 domain controller onto an existing AD DS installation is quite simple. You can upgrade an AD DS infrastructure in two ways. You can upgrade the existing down‐level domain controllers to Windows Server 2016, or you can add a new Windows Server 2016 domain controller to your existing installation. You can upgrade a Windows Server 2008 R2 with SP1, Windows Server 2012, or Windows Server 2012 R2 domain controller to Windows Server 2016, but no earlier versions are upgradable. Although the global catalog is not one of the five operation masters, global catalogs provide a critical functionality for Active Directory. As a domain controller, a global catalog stores a full copy of all objects in the domain. In addition, as a global catalog, it also has a partial copy of all objects for all other domains in the forest. The partial copy of all objects is used for logon, object searches, and universal group membership. A global catalog is created automatically on the first domain controller in the forest. Optionally, other domain controllers can be configured to serve as global catalogs. As noted earlier, the global catalog is an index of all AD DS objects in a forest that prevents systems from having to perform searches among multiple domain controllers. The Domain Name System (DNS) is essential to the operation of Active Directory Domain Services. To accommodate directory services such as AD DS, a special DNS resource record was created that enables clients to locate domain controllers and other vital AD DS services. To confirm that a domain controller has been registered in the DNS, open a Command Prompt window with administrative privileges and enter the following command: dcdiag /test:registerindns /dnsdomain: /v Operations masters, sometimes referred to as Flexible Single Master Operations (FSMO), are specialized domain controllers that perform certain tasks that can be handled only by a single domain controller in a multimaster environment. Primary Domain Controller (PDC) Emulator (one per domain)
The PDC Emulator was originally created to provide backward compatibility with Windows NT 4. domains. It also coordinates password changes,
account lockouts, and time synchronization; man- ages edits to Group Policy Objects (GPOs); and
acts as a domain master browser (provides a list of workgroups and domains when you browse). When a password is changed, the domain controller that
initiates a password change sends the change to the PDC Emulator, which in turn updates the global catalog server and provides immediate replication to other domain controllers in the domain.
Because the PDC Emulator is the most heavily used role and because of the tasks that it does, it can affect users when it is down. For example, if a password is
changed, it might not be immediately rep- licated, which can cause problems when a
user tries to access resources. If the system clocks drift too much, users might not be able to log on as Kerberos fails. In addition, account lockout might not work and you might not be able to raise the functional level of a domain.
Infrastructure Master (one per domain)
The Infrastructure Master is used to track which objects belong to which domain because it is responsible for reference updates from its domain objects to other domains. When you rename or move a member of a group (and the members that reside in different domains from
the group), the Infrastructure Master is respon- sible for updating the group so it knows the new
name or location of the member.
Typically, the loss of the Infrastructure Master is not visible to users. However, it might be seen if you recently moved or renamed a large number of accounts.
Relative Identifier (RID) Master (one per domain)
Master does not affect users, you are not able to add or remove domains from the forests. The easiest way to view the holders of all operations masters at once is to execute the follow- ing command at a command prompt (see Figure 1‐9):
netdom query fsmo To view the RID Master, PDC Emulator, or Infrastructure Master, use the Active Directory Users and Computers console. Windows Server 2008 introduced the read‐only domain controller (RODC), which contains a full replication of the domain database. It was created to be used in places where a domain controller is needed but the physical security of the domain controller cannot be guaranteed. For example, it might be placed in a remote site that is not very secure and has a slower WAN link. Because it has a slow WAN link, a local domain controller would benefit the users at that site. The four primary steps to deploy a cloned virtualized domain controller are as follows:
- Grant the source virtualized domain controller the permission to be cloned by adding the source virtualized domain controller to the Cloneable Domain Controllers group.
- Run the Get‐ADDCCloningExcludedApplicationList cmdlet in PowerShell to determine which services and applications on the domain controller are not compatible with the cloning.
- Run New‐ADDCCloneConfigFile to create the clone configuration file, which is stored in C:\Windows\NTDS.
- In Hyper‐V, export and then import the virtual machine of the source domain controller. A user account is used by Windows to determine what changes you can make on the computer, to determine which files and folders you have access to, and to track personal preferences, such as your choice of desktop wallpaper, color schemes, drive mappings, and/ or screen savers. There are standard accounts used to perform daily tasks on the computer that are limited in what they can do as well as administrative accounts that provide full control over the computer. Authentication is the process of confirming a user’s identity by using a known value, such as a password, a smart card, or a fingerprint. After a user supplies a name and password, the authentication process validates the credentials supplied in the logon against information that is stored within the AD DS database. Do not confuse authentication with authorization, which is the process of confirming that an authenticated user has the correct permissions to access one or more network resources. The following two types of user accounts run on Windows Server 2016 systems:
- Local users can access only resources on the local computer and are stored in the local Security Account Manager (SAM) database on the computer where they reside. Local accounts are never replicated to other computers, nor do these accounts provide domain access. A local account configured on one server cannot be used to access resources on a second server; you need to configure a second local account in that case.
- Domain users can access AD DS or network-based resources, such as shared folders and
printers. Account information for these users is stored in the AD DS database and rep- licated to all domain controllers within the same domain. A subset of the domain user
account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest. By default, two built-in user accounts are created on a computer running Windows Server 2016: the Administrator account and the Guest account. Built-in user accounts can be local accounts or domain accounts, depending on whether the server is a stand-alone server or a domain controller. In the case of a stand-alone server, the built-in accounts are local accounts on the server itself. On a domain controller, the built-in accounts are domain accounts that are replicated to each domain controller. On a member server or stand-alone server, the built-in local Administrator account has full control of all files and complete management permissions for the local computer. On a domain controller, the built-in Administrator account created in Active Directory has full control of the domain in which it was created. By default, each domain has only one built-in administrator account. Neither the local Administrator account on a member server or stand-alone server nor a domain Administrator account can be deleted; however, they can be renamed. One of the most common tasks for you is the creation of Active Directory user objects. Windows Server 2016 includes several tools you can use to create objects. The specific tool you use depends on how many objects you need to create, the time frame available for the creation of these groups, and any special circumstances, such as importing users from an existing database.
- Dsadd.exe: This standard command-line tool creates AD DS leaf objects, which you can use with batch files to create AD DS objects in bulk.
- Windows PowerShell: This currently approved Windows maintenance tool creates object creation scripts of nearly unlimited complexity.
- Comma-Separated Value Directory Exchange (CSVDE.exe): This command-line utility creates new AD DS objects by importing information from a comma-separated value (.csv) file.
- LDAP Data Interchange Format Directory Exchange (LDIFDE.exe): Like CSVDE, this utility imports AD DS information and uses it to add, delete, or modify objects, in addition to modifying the schema, if necessary. For some administrators, creating individual user accounts is a daily task, and there are many ways to go about it. To create a user by using the Dsadd.exe utility, you must know the distinguished name (DN) for the user and the user’s logon ID, also known as the SAM account name attribute within AD DS. The SAM account name refers to each user’s logon name—the portion to the left of the @ within a User Principal Name—which is eander in [email protected]. The SAM account name must be unique across a domain. Microsoft places emphasis on Windows PowerShell as a server management tool and provides a cmdlet called New-ADUser, which you can use to create a user account and configure any or all of the attributes associated with it. The New-ADUser cmdlet has several parameters to
these tabs are displayed. To show all of the tabs, you have to open the View menu and click Advanced Features.
- New-ADUser: Creates user accounts
- Set-ADUser: Modifies properties of user accounts
- Remove-ADUser: Deletes user accounts
- Set-ADAccountPassword: Resets the password of a user account
- Set-ADAccountExpiration: Modifies the expiration date of a user account
- Unlock-ADAccount: Unlocks a user account when it is locked after exceeding the accepted number of incorrect logon attempts
- Enable-ADAccount: Enables a user account
- Disable-ADAccount: Disables a user account You can delete a user at any time, by opening the Active Directory Users and Computers console, finding and right-clicking the user, and choosing Delete. However, when you do, you also delete the GUID from any groups she is a member of. Even if you create a new user account using the same user name, he or she will not have the same GUID and will not be members of the same groups. After you select multi- ple objects to modify,
the objects must be all the same class. For example, you can select multiple user objects, but you cannot select a user object and a computer object at the same time. In these instances, you can modify the properties of multiple user accounts simultaneously, by using the ADAC or the Active Directory Users and Computers console. Disabling a user account prevents anyone from using it to log on to the domain until an administrator with the appropriate permissions enables it again. You sometimes need to create hundreds or thousands of user objects, which makes the single object creation procedures impractical. Batch files are commonly used files that can be written by using any text editor. You can write a batch file to create objects in AD DS by following standard batch file rules and calling the Dsadd.exe program. You can also use Dsadd.exe to create, delete, view, and modify Active Directory objects, including users, groups, and OUs. To create multiple objects (including users, groups, or any other object type) by using a batch file, open Notepad and use the Dsadd.exe syntax described previously, by placing a single command on each line. After you enter the commands you need, save the file and name it by using a .cmd or .bat extension. Files with .cmd or .bat extensions are processed line by line
after you execute the batch file at a command prompt with elevated permissions or double- click on the file in Windows Explorer. A CSV file is a plaintext file that consists of records, each on a separate line, which are
divided into fields and separated by commas. The format saves database information in a uni- versally understandable way.
The CSVDE.exe command-line utility enables you to import or export Active Directory objects. It uses a CSV file that is based on a header record, which identifies the attribute contained in each comma-delimited field. The header record is the first line of the text file that uses proper attribute names. After you add a record for each account you want to create, save the file by using .csv as the extension. You then use the following command syntax to run the CSVDE.exe program and import the file: csvde.exe -i -f <filename.csv> The -i switch tells CSVDE.exe that this operation will import data. The -f switch specifies the .csv file containing the records to be imported. You can use any text editor to create the LDIFDE.exe input file, which is formatted according to the LDAP Data Interchange Format (LDIF) standard. The format for the data file containing the object records you want to create is significantly different from CSVDE.exe.
The following example shows the syntax for a data file to create the same user account dis- cussed in the CSVDE.exe By using LDIFDE.exe, you can specify one of three actions to perform with the LDIF file:
- Add creates new objects by using the LDIF records.
- Modify modifies existing object attributes by using the LDIF records.
- Delete deletes existing objects by using the LDIF records. Resetting a user’s password is relatively time consuming when using Active Directory Users and Computers and Active Directory Administrative Center. If you have to reset the password for many users, that simple task becomes a daunting task. Like user accounts, Windows computer accounts provide a means for authenticating and auditing the computer’s access to a Windows network and its access to domain resources. Each Windows computer to which you want to grant access to resources must have a unique computer account. It can also be used for auditing purposes specifying which system was used when something was accessed. In addition to creating user accounts in the domain, you need to make sure that the network computers are part of the domain. Adding a computer to an AD DS domain consists of two steps:
- Creating a computer account: You create a computer account by creating a new com- puter object in Active Directory and assigning the name of an actual computer on
the network.
Domain. The syntax for the command is as follows: netdom join /Domain: [/UserD: /PasswordD:] [/OU:OUDN]
Domain users also can create computer objects themselves through an interesting, indirect process. The Default Domain Controllers Policy GPO grants a user right called Add
Workstations to the Domain to the Authenticated Users special identity. Any user who is suc- cessfully authenticated to Active Directory is permitted to join up to 10 workstations to the
domain and create 10 associated computer objects, even if the user does not possess explicit object creation permissions. The offline domain join procedure requires you to run the Djoin.exe program twice, once on a computer with access to a domain controller, and then again on the computer to be joined. After connecting to the domain controller, the program gathers computer account metadata for the system to be joined and saves it to a file. The syntax for this phase of the process is as follows: djoin /provision /domain /machine /savefile <filename.txt> Specifying what a user can do on a system or to a resource is determined by two things: permissions and rights. A permission defines the type of access that is granted to an object (an object can be iden- tified with a security identifier) or object attribute. The most common objects assigned per- missions are NTFS files and folders, printers, and Active Directory objects. To keep track
of all this, information such as which user can access an object and what the user can do is recorded in the access control list (ACL), which lists all users and groups that have access to the object. A user right authorizes a user to perform certain actions on a computer, such as logging on to a system interactively or backing up files and directories on a system. User rights are assigned through local policies or Active Directory group policies. See Figure 2-13. Some of the user rights include:
- Access this computer from the network: This policy setting determines which users can connect to the computer from the network.
- Add workstations to domain: This policy setting determines which users can add a computer to a specific domain.
- Allow log on locally: This policy setting determines which users can start an interactive session on the computer. The error message the users will see without this permission is “The local policy of this system does not permit you to logon interactively.” Users who do not have this right are still able to start a remote interactive session on the computer if they have the Allow logon through Remote Desktop Services right. A container in Active Directory is an object that has child objects (other containers or leaf objects), which include domains, organizational units (OUs), and sites. Forests,
trees, domains, and organizational units can contain users, computers, printers, and organizational units. When you create a domain, the domain will have the following default containers:
- Builtin: Holds default service administrator accounts and domain local security groups. These groups are preassigned permissions needed to perform domain management tasks.
- Computers: Holds all computers joined to the domain that are joined to the domain
that aren’t assigned to any organizational unit and is the default location for new com- puter accounts created in the domain.
- Domain Controllers: Is the default location for the computer accounts for domain controllers.
- ForeignSecurityPrincipals: Holds proxy objects for security principals in NT 4. domains or domains outside of the forest.
- LostAndFound: Holds objects moved or created at the same time an organizational unit is deleted. During replication between domain controllers, new objects are placed in the LostAndFound container.
- NTDS Quotas: Holds objects that contain limits on the number of objects users and groups can own.
- Program Data: Holds application-specific data created by other programs.
- System: Holds configuration information about the domain, including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies.
- Users: Holds additional predefined user and group accounts (besides those in the Builtin
container). Users and groups are preassigned membership and permissions for com- pleting domain and forest management tasks.
The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these containers, open the View menu and select Advanced Features. Of these, only the Domain Controllers is an organizational unit. Organizational units are the preferred method of subdividing a domain and the domain administrator must create all
other OUs. As you can see in Figure 3-1, the organizational units and containers have differ- ent icons. OUs are not considered security principals. Therefore, you cannot assign access permissions to a resource based on membership to an OU. Herein lies the difference between OUs and global, domain local, and universal groups. You use groups to assign access permissions, whereas OUs are used for organizing resources and delegating permissions. After you create an OU, you can double-click it to open its properties sheet, in which you can modify its attributes, or right-click it and choose Move to open the Move dialog box.
To delete an OU, you just have to select the OU and click Delete. However, to prevent acci-
Group type defines how a group is used within Active Directory. The two Windows Server 2016 group types are as follows:
- Distribution groups: Non-security-related groups created for the distribution of information to one or more persons
- Security groups: Security-related groups created for the purpose of granting resource access permissions to multiple users In addition to security and distribution group types, several group scopes are available within Active Directory. The group scope controls which objects the group can contain, limiting the objects to the
same domain or permitting objects from remote domains as well, and also controls the loca- tion in the domain or forest where the group can be used. Group scopes available in an Active
Directory domain include domain local groups, global groups, and universal groups. DOMAIN LOCAL GROUPS Domain local groups can have any of the following as members:
- User accounts
- Computer accounts
- Global groups from any domain in the forest
- Universal groups
- Domain local groups from the same domain You use domain local groups to assign permissions to resources in the same domain as the domain local group. Domain local groups can make permission assignment and maintenance easier to manage. For example, if you have 10 users who need access to a shared folder, you can create a domain local group that has the appropriate permissions to the shared folder. Next, you create a global or universal group and add the 10 user accounts as members of this group. Finally, you add the global group to the domain local group. The 10 users have access to the shared folder via their membership in the global group. If any additional users need access to the shared folder, you can add them to the global group, and they will automatically receive the necessary permissions. GLOBAL GROUPS Global groups can have the following as members:
- User accounts from the same domain as the global group
- Computer accounts from the same domain as the global group
- Other global groups from the same domain You can use global groups to grant or deny permissions to any resource located within the same domain directly or in in any domain in the forest by adding the global group as a
member of a domain local group that has the desired permissions. Global group member- ships are replicated only to domain controllers within the same domain. Users with common
resource needs should be members of a global group, to facilitate the assignment of per-
missions to resources. You can change the membership of the global group as frequently as
necessary to provide users with the necessary resource permissions. UNIVERSAL GROUPS Universal groups can contain the following members:
- User accounts from any domain in the forest and any trusted domain
- Computer accounts from any domain in the forest and any trusted domain
- Global groups from any domain in the forest
- Other universal groups Universal groups, like global groups, can organize users according to their resource access needs. You can use them to provide access to resources located in any domain in the forest. As discussed previously, group nesting is the term used after groups are added as members of other groups. For example, after you make a global group a member of a universal group, it is nested within the universal group. This traditional approach to group nesting in AD DS is often referred to using the mnemonic AGUDLP: You add Accounts to Global groups, add those global groups to Universal groups, add universal groups to Domain Local groups, and, finally, assign Permissions to the domain local groups. The use of domain local groups for resource permissions and global groups for user accounts is a holdover from Windows NT and early Windows Server versions that did not enable global groups to have other global groups as members. Windows Server 2008 (the lowest functional level supported by Windows Server 2016) and later support nested global groups within other global groups. There is, therefore, no reason why you cannot fully use global groups. Special identities exist on all computers running Windows Server 2016. These are not groups because you cannot create them, delete them, or directly modify their memberships. Special identities do not appear as manageable objects in the AD DS utilities, but you can use them like groups, by adding them to the ACLs of system and network resources. The procedure for creating groups in Active Directory Administrative Center or Active Directory Users and Computers is similar to creating organizational units. When you create a group, you must specify a name for the group object. The name you select can be up to 64 characters long and must be unique in the domain. You must also choose a group type and a group scope. Figure 3-8 shows the Create Group window in Active Directory Administrative Center. To create nested groups, you must create the groups first and then add one to the member- ship list of the other. You cannot create a new group directly within the membership list of
another group. Unlike the Active Directory Administrative Center, which enables you to specify a group’s members as you create the group, in Active Directory Users and Computers, you must create the group object first, and then add members to it. Just as you used the Dsadd.exe tool in Lesson 2 to create new user objects, you can use the same program to create group objects. The basic syntax for creating group objects with
After you delete a group, you delete only the group object and the permissions and rights specifying that group as the security principal. Deleting a group does not delete the objects that are members of the group. Starting with Windows Server 2016, you can configure a group member that will automatically expire after a certain period of time. By establishing group membership expiration, you can grant temporary administrator privileges, such as granting permission to perform a specific task or install an application, and membership will automatically be revoked at the end of the time period.
To use group membership expiration, the domain controllers must be running in Windows Server 2016 domain functional level. Then to enable group membership expiration, run the following Windows PowerShell command: Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet - Target adatum.com Active Directory uses the Lightweight Directory Access Protocol to supply the naming convention for objects. The distinguished names are the complete path through the hierarchical tree structure to a specific object. The following are the components that make up a distinguished name:
- OU (Organizational Unit): This attribute is used to divide a namespace based on orga- nizational structure as previously discussed. An OU usually is associated with an Active
Directory container or folder. Containers and leaf objects are identified with cn=. The following are examples of container distinguished names: cn=users,dc=adatum,dc=com cn=computers,dc=mydomain,dc=local Authentication is the act of confirming the identity of a user or system and is an essential part used in authorization when the user or system tries to access a server or network resource. Because authentication is such a key component in security, you need to choose the appropriate authentication method. Two types of authentication that Windows supports are NT LAN Manager (NTLM) and Kerberos. NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is an integrated Single Sign-On mechanism, which is probably best recognized as part of Integrated Windows Authentication for HTTP authentication. It provides maximum compatibility with different versions of Windows and compared with Kerberos, it is the easiest to implement. Kerberos is a computer network authentication protocol, which allows hosts to prove their identity over a nonsecure network in a secure manner. It can also provide mutual authentication so that both the user and server verify each other’s identity. For security reasons, Kerberos protocol messages are protected against eavesdropping and replay attacks. To secure the double-hop authentication, you can configure Kerberos constrained delegation.
Constrained delegation restricts which services are allowed to delegate user credentials by specifying, for each application pool or service, the services to which a Kerberos ticket can be forwarded. Kerberos settings are configured with group policies, specifically \Computer Configuration
Policies\Windows\Settings\Security Settings\Account Policies\Kerberos Policy (see Figure 4-1). It contains the following GPO entries:
- Enforce user logon restrictions: Enforces the Key Distribution Center (KDC) to check the validity of a user account every time a ticket request is submitted. If a user does not have the right to log on locally or if her account has been disabled, she will not get a ticket. By default, the setting is on.
- Maximum lifetime for service ticket: Defines the maximum lifetime of a service ticket (Kerberos ticket). The default lifetime is 10 hours.
- Maximum lifetime for user ticket: Defines the maximum lifetime ticket for a Kerberos TGT ticket (user ticket). The default lifetime is 10 hours.
- Maximum lifetime for user ticket renewal: Defines how long a service or user ticket can be renewed. By default, it can be renewed up to seven days.
- Maximum tolerance for computer clock synchronization: Defines the maximum time skew that can be tolerated between a ticket’s time stamp and the current time at the KDC. Kerberos uses a time stamp to protect against replay attacks. The default setting is five minutes. A service or application that is secured by Kerberos must have an identity (a user account or computer account) within the realm (in this case, the domain) that the system exists on. Although Active Directory can identify an account using a simple user name, the Kerberos standard includes information such as the service class, host name, and port that the account can use. A Service Principal Name (SPN) is the name by which a client uniquely identifies an in- stance of a service. The client locates the service based on the SPN, which consists of three
components:
- The service class, such as HTTP (which includes both the HTTP and HTTPS proto- cols) or SQLService
- The host name
- The port (if port 80 is not being used) To establish an SPN for https://portal.contoso.com on port 443, you use HTTP/portal. contoso.com:443. Kerberos authentication service then uses the SPN to authenticate a service. The SPN is associated with the application pool, not the server. In addition, for each web application, you should assign two SPNs, one with the fully qualified domain name for the service and one with the NetBIOS name of the service. Kerberos delegation allows a Kerberos ticket to be created for another service on the originating user’s behalf. This can be done with full delegation or with constrained