Return
-
Title
How is authentication to Active Directory (AD) performed by the various ADS authentication modules? -
Description
How is authentication to Active Directory (AD) performed by the various ADS authentication modules? -
Cause
How to article. -
Resolution
Active Directory user account
As the user is already authenticated in a domain environment performed by the AD DC, the authentication module will only check for the current identity using the 'IsAuthenticated' flag: WindowsIdentity.IsAuthenticated Property
Result: no (new) verification against AD.
Active Directory user account (dynamic)
In fat clients this is the same as the "Active Directory user account" authentication module. For the web application the user identity is taken from the web context, which means the web app tries to identify the user from the browser context if the related IIS settings for the security section are configured correctly (Web Portal Installation Guide).
Active Directory user account (manual input)
An authentication is performed by advapi32.dll as defined here LogonUser function
with
LogonType.LOGON32_LOGON_NETWORK = 3
The LogonUser function does not cache credentials for this logon type.
LogonProvider.LOGON32_PROVIDER_DEFAULT = 0
Use the standard logon provider for the system.
The default security provider is negotiate, unless you pass NULL for the domain name and the user name is not in UPN format. In this case, the default provider is NTLM.
NOTE: Windows 2000/NT: The default security provider is NTLM.
Active Directory user account (role based)
Same as above.
Web Active Directory user account
The user is taken from the http context (HttpContext Class) and again transformed into the .Net Identity class to check its IsAuthenticated flag again as mentioned in "Active Directory user account".