How does the Security Service (WGSS) communicate, and for what purpose?
In an Active Directory (AD) and ADLDS configuration (with users stored in Active Directory and SSO data stored in ADLDS), WGSS performs:
- Authentication using the LogonUser API. This uses standard Windows protocol, with Kerberos encryption mechanisms if available.
- LDAP requests on AD using ADSI and Kerberos for authentication to retrieve information from AD (organizational units, groups, users...). This does not need to transfer any critical data, so no encryption is used, excepted the encryption used by the Kerberos protocol.
- Password changes. This uses standard API from Windows, which uses the first available in Kerberos encryption, SSL encryption, and secured RPC requests.
- Password resets. This uses standard API from Windows, which uses the first available in Kerberos encryption, SSL encryption, and secured RPC requests.
Authentication Manager uses LogonUser/LsaLogonUser APIs, change password APIs.
Client applications connect to WGSS.exe locally and remotely use SSPI and thus Kerberos to secure and encrypt their connections.