1 00:00:01,010 --> 00:00:03,280 LDAP and Kerberos. 2 00:00:03,280 --> 00:00:06,420 LDAP is the lightweight directory access protocol. 3 00:00:06,420 --> 00:00:08,320 This is a database that's used to centralize 4 00:00:08,320 --> 00:00:09,870 information about your clients 5 00:00:09,870 --> 00:00:11,830 and your objects on the network. 6 00:00:11,830 --> 00:00:15,380 LDAP is essentially a simplified version of X.500, 7 00:00:15,380 --> 00:00:16,800 which is a directory service, 8 00:00:16,800 --> 00:00:18,910 and it contains a hierarchical organization 9 00:00:18,910 --> 00:00:21,730 of the users, groups, servers, and systems 10 00:00:21,730 --> 00:00:23,680 inside your network. 11 00:00:23,680 --> 00:00:26,330 LDAP communicates over port 389 12 00:00:26,330 --> 00:00:27,920 when it's doing it unencrypted. 13 00:00:27,920 --> 00:00:30,200 And if you decide to encrypt it using SSL 14 00:00:30,200 --> 00:00:33,630 or TLS, it's going to use port 636. 15 00:00:33,630 --> 00:00:35,170 Both of these are ports you should know 16 00:00:35,170 --> 00:00:36,900 for the Security+ exam. 17 00:00:36,900 --> 00:00:39,560 Now, while LDAP is considered cross platform, 18 00:00:39,560 --> 00:00:41,960 Microsoft created their own implementation of this, 19 00:00:41,960 --> 00:00:44,650 known as AD or Active Directory. 20 00:00:44,650 --> 00:00:47,910 This is yet another example of a single sign-on system. 21 00:00:47,910 --> 00:00:49,870 In the Windows domain, Active Directory 22 00:00:49,870 --> 00:00:52,570 is used to organize and manage everything on the network, 23 00:00:52,570 --> 00:00:55,100 including those clients, servers, devices, 24 00:00:55,100 --> 00:00:56,610 users, and groups. 25 00:00:56,610 --> 00:00:58,520 Now, Active Directory can also be used 26 00:00:58,520 --> 00:01:00,100 as part of your security policies 27 00:01:00,100 --> 00:01:03,440 or access control through your group policies. 28 00:01:03,440 --> 00:01:04,820 Now, Kerberos, on the other hand, 29 00:01:04,820 --> 00:01:07,670 is focused on authentication and authorization. 30 00:01:07,670 --> 00:01:10,080 This is performed through our Kerberos ticketing system 31 00:01:10,080 --> 00:01:11,780 in a Windows domain. 32 00:01:11,780 --> 00:01:13,840 Kerberos is an authentication protocol 33 00:01:13,840 --> 00:01:16,860 that provides for two-way or mutual authentication. 34 00:01:16,860 --> 00:01:18,820 When a user logs on to the domain, 35 00:01:18,820 --> 00:01:20,920 they first contact the domain controller 36 00:01:20,920 --> 00:01:24,620 which acts as the key distribution center, or KDC. 37 00:01:24,620 --> 00:01:27,080 This KDC has two basic functions, 38 00:01:27,080 --> 00:01:29,490 authentication and ticket granting. 39 00:01:29,490 --> 00:01:31,910 So, if your client is authenticated properly, 40 00:01:31,910 --> 00:01:34,520 the KDC will issue them a TGT, 41 00:01:34,520 --> 00:01:37,090 which is called a ticket-granting ticket. 42 00:01:37,090 --> 00:01:39,040 This ticket-granting ticket is then provided 43 00:01:39,040 --> 00:01:40,970 to the domain controller anytime that user 44 00:01:40,970 --> 00:01:42,550 wants to access a resource. 45 00:01:42,550 --> 00:01:44,970 And then the domain controller can provide that user 46 00:01:44,970 --> 00:01:47,420 with a service ticket or a session key to use, 47 00:01:47,420 --> 00:01:49,770 whichever one's appropriate for their needs. 48 00:01:49,770 --> 00:01:51,650 These tickets are presented to the resource 49 00:01:51,650 --> 00:01:53,190 and the access is then granted, 50 00:01:53,190 --> 00:01:55,570 because the resource always trusts the domain controller's 51 00:01:55,570 --> 00:01:57,110 provided tickets. 52 00:01:57,110 --> 00:01:59,140 If your domain controller is running Kerberos, 53 00:01:59,140 --> 00:02:00,950 it's going to have port 88 open 54 00:02:00,950 --> 00:02:03,380 so it can receive those inbound service login requests 55 00:02:03,380 --> 00:02:04,520 from the clients. 56 00:02:04,520 --> 00:02:06,820 Now, because Kerberos relies on the domain controller 57 00:02:06,820 --> 00:02:09,040 to serve as that key distribution center, 58 00:02:09,040 --> 00:02:11,770 this is a single point of failure in the domain. 59 00:02:11,770 --> 00:02:13,520 If the domain controller is down, 60 00:02:13,520 --> 00:02:16,130 ticket-granting services are also shut down. 61 00:02:16,130 --> 00:02:18,290 To prevent this, though, what most people will do 62 00:02:18,290 --> 00:02:21,470 is have a primary and a secondary active domain controller. 63 00:02:21,470 --> 00:02:23,270 That will give you this form of redundancy 64 00:02:23,270 --> 00:02:26,183 to ensure Kerberos is up and LDAP is still running.