Lesson1: AD Authentication Protocols - Technical Deep Dive

Starter Slide Idea: A visual graphic showing a fork in the road. One path leads to a traditional, walled castle representing on-premises Active Directory, with a signpost pointing to "Kerberos & NTLM." The other path leads to a modern, interconnected city in the clouds representing Azure AD, with its signpost reading "Modern Auth (OIDC, OAuth 2.0, SAML)." This image visually frames the two distinct authentication landscapes we will explore.

Introduction: The Keys to the Kingdom

Welcome to your first lesson on mastering Active Directory and Azure AD. As a security analyst, you need to grasp authentication protocols because they directly impact your ability to defend against cyber threats. These protocols are the gatekeepers, determining who gets access to what and how. This isn't just theory; it's the front line of your daily cyber defense. You are the guardian of your organization's digital kingdom, and this lesson will arm you with the fundamental knowledge to protect it from modern threats.

The Traditional Castle: On-Premises Active Directory

For decades, on-premises Active Directory (AD) has been the bedrock of enterprise identity. Picture a kingdom with a rigid, well-defined hierarchy. This is the world of on-premises AD.

Forests and Domains: The entire kingdom is a forest. Within this kingdom are several duchies, which are domains. A domain is a logical grouping of users, computers, and other objects that share a common security database. A forest is a collection of one or more domains that have a trust relationship, allowing for seamless resource access between them.
Domain Controllers (DCs): In each duchy stands a castle—the domain controller. This is the heart of the domain, storing the security database, authenticating every user and computer, and enforcing all security policies. All the kingdom's secrets are locked away here.
Organizational Units (OUs): Within each duchy are smaller villages and towns, known as Organizational Units. OUs are containers used to organize objects within a domain, such as users, groups, and computers. They are essential for delegating administrative tasks and applying specific security policies to different sets of objects.

[Placeholder for a diagram illustrating the AD forest, domain, and OU structure]

The Modern Cloud City: Azure Active Directory (Entra ID)

Now, let us journey to the bustling, modern city in the clouds: Azure Active Directory (Azure AD), now part of Microsoft Entra. Unlike the traditional castle, Azure AD was built for the internet age. It is a cloud-based identity and access management service that provides a universal identity platform for users to access cloud services like Microsoft 365 and thousands of other Software-as-a-Service (SaaS) applications.

While on-premises AD is hierarchical and focused on the internal network, Azure AD has a flatter structure, designed for a world where your users and applications are everywhere. It is not a direct replacement for on-premises AD but a new paradigm for managing identity in the cloud. Think of it as a global passport, whereas on-premises AD is more like a local driver's license.

Bridging the Two Worlds: Hybrid Identity

Most organizations today operate in a hybrid model, with a presence in both the on-premises kingdom and the cloud city. This is where hybrid identity becomes critical. It aims to create a single, common identity for users across both environments. This is typically achieved using Azure AD Connect, a tool that synchronizes user identities from on-premises AD to Azure AD. This synchronization allows users to use a single username and password to seamlessly access resources, whether they are on the local network or in the cloud.

The Old Guards: Kerberos and NTLM

Let us meet the guards of the on-premises kingdom: Kerberos and NTLM. These are the authentication protocols that have been the workhorses of Windows environments for many years.

Kerberos: The Ticket to Ride

Kerberos authentication begins the moment you log into your workstation, performing an intricate exchange to verify your identity and authorize your access across the domain.

Your workstation sends an Authentication Service Request (AS-REQ) to the Key Distribution Center (KDC) on the domain controller.
This request includes your username and a timestamp encrypted with your password hash, which is derived using the NT hash algorithm.

The KDC validates your request and responds with an Authentication Service Response (AS-REP) containing your Ticket Granting Ticket (TGT).

The TGT, encrypted with the KRBTGT account’s hash, includes:
- Your security identifier (SID)
- Your group memberships
- The ticket validity period (typically 10 hours)
- Your Privilege Attribute Certificate (PAC) — the authorization data that governs your access throughout the domain

According to IBM’s X-Force, attacks on TGTs via Kerberoasting increased by 100% in 2024.

When you attempt to access a resource, such as a file server, your workstation presents the TGT to request a service ticket through a Ticket Granting Service Request (TGS-REQ).

The KDC validates your TGT and issues a service ticket encrypted with the target service’s password hash.
This service ticket contains:
- A session key for secure communication
- Your identity information
- The PAC carrying your authorization details

Modern Kerberos environments rely on AES128 or AES256, while older RC4 encryption is being phased out due to cryptographic weaknesses that enable offline cracking.

Kerberos provides mutual authentication, meaning both client and server verify each other's identity - a critical defense against man-in-the-middle attacks. It requires network connectivity to domain controllers, uses time-synchronized tickets (default five-minute clock skew tolerance), and operates through port 88. On-premises authentication generates Event IDs 4768 (TGT requests), 4769 (service tickets), and 4771 (pre-authentication failures) locally on domain controllers - critical logs for detecting Kerberoasting, Golden Ticket attacks, and brute-force attempts.

NTLM: The Legacy That Won't Die

NTLM version 1 uses weak DES-based encryption that's trivially crackable with modern hardware. NTLMv2 improves this with HMAC-MD5 but still relies on challenge-response without mutual authentication. The server sends an 8-byte challenge, your client combines it with your password hash to create a response, and the server validates it against stored credentials.

The critical weakness: NTLM hashes never expire and don't include time bounds or session tokens. Capture one through responder poisoning or LLMNR spoofing, and you can replay it indefinitely until the user changes their password.

Microsoft blocks 7,000 password-based attacks per second, many targeting these static NTLM hashes. Unlike Kerberos's mutual authentication, NTLM clients can't verify the server's identity, enabling relay attacks in which attackers forward your credentials to different services. Despite Microsoft's years-long campaign to deprecate NTLM, it persists because legacy applications and older systems lack Kerberos support. As a SOC analyst, you'll encounter NTLM authentication daily - which means you must monitor for NTLM relay attacks, credential harvesting, and the telltale signs of attackers exploiting its inherent weaknesses.

The New Kids on the Block: Modern Authentication in Azure AD

In the cloud city of Azure AD, a new generation of internet protocols provides more robust security.

OAuth 2.0: This is an authorization framework that enables applications to obtain limited access to user accounts. It's the magic behind signing in to a new app with your Google or Microsoft account without having to share your password.
OpenID Connect (OIDC): Built on top of OAuth 2.0, OIDC is a simple identity layer. It allows applications to verify your identity based on authentication performed by an authorization server and to obtain basic profile information.
SAML (Security Assertion Markup Language): An XML-based standard for exchanging authentication and authorization data between an identity provider (such as Azure AD) and a service provider. It is a mature protocol widely used for single sign-on (SSO) in enterprise environments.

These modern protocols are the foundation of secure access in the cloud, offering greater flexibility and features such as multi-factor authentication (MFA).

Your Cloud Passport: Primary Refresh Tokens (PRT)

In Azure AD, the Primary Refresh Token (PRT) is a critical component that enables seamless single sign-on (SSO) across applications on a device. It is a JSON Web Token (JWT) issued to you when you register your device with Azure AD. The PRT is like a master key, granting silent access to various applications without forcing you to re-enter your credentials every time. It's your passport to the cloud city.

However, this convenience makes the PRT a high-value target. If an attacker steals your PRT, they can impersonate you and gain access to all the cloud applications you use. The financially motivated threat actor Storm-0501, for instance, has been observed targeting hybrid environments to compromise credentials that could lead to the theft of such valuable tokens, enabling them to move from on-premises networks into the cloud.

The Showdown: On-Premises vs. Cloud Authentication

How do the old guards of the on-premises world compare to the new kids on the block in the cloud? This table summarizes the key differences:

Feature

On-Premises AD (Kerberos/NTLM)

Azure AD (Modern Auth)

Environment

Primarily internal, trusted networks

Internet-facing, designed for zero-trust

Protocols

Kerberos, NTLM

OAuth 2.0, OpenID Connect, SAML

Security

Vulnerable to relay and offline cracking attacks

Stronger, with built-in support for MFA and Conditional Access

Flexibility

Rigid, designed for traditional client-server applications

Highly flexible, built for modern web and mobile applications

Why This Matters to You, the SOC Analyst

As a SOC analyst, you are on the front lines of a constantly evolving battlefield. Understanding the nuances between on-premises and cloud authentication protocols is not just academic; it is essential for your success. You must be able to spot the tell-tale signs of an attack, whether it's a Kerberoasting attempt against your on-premises domain controllers or a sophisticated PRT theft attack targeting your cloud users. By mastering how these protocols work, their weaknesses, and how they are exploited, you can more effectively hunt for threats, investigate incidents, and ultimately, become a formidable defender of your organization's digital estate.

Additional Resources

Last updated 2 months ago

hashtagIntroduction: The Keys to the Kingdom

hashtagThe Traditional Castle: On-Premises Active Directory

hashtagThe Modern Cloud City: Azure Active Directory (Entra ID)

hashtagBridging the Two Worlds: Hybrid Identity

hashtagThe Old Guards: Kerberos and NTLM

hashtagKerberos: The Ticket to Ride

hashtagNTLM: The Legacy That Won't Die

hashtagThe New Kids on the Block: Modern Authentication in Azure AD

hashtagYour Cloud Passport: Primary Refresh Tokens (PRT)

hashtagThe Showdown: On-Premises vs. Cloud Authentication

hashtagWhy This Matters to You, the SOC Analyst

hashtagAdditional Resources