Supported Authentication Methods in 5.1.1.1

Under the “Details” section, it is important to verify the server’s identity by validating its certificate. This involves ensuring that the server certificates presented to the client computer have the correct signatures, have not expired, and were issued by a trusted root certification authority (CA). The client must verify the server’s identity by validating the certificate, which includes checking for correct signatures, non-expiration, and issuance by a trusted root certification authority (CA).

The AuthenticationChoice structure for a BindRequest, as defined in section 4.2 of RFC2251, offers two alternatives: simple and SASL. On the other hand, section 4.1 of RFC1777 defines an authentication structure for a BindRequest that presents three alternatives: simple, krbv42LDAP, and krbv42DSA. However, in Active Directory, only simple and SASL authentication mechanisms are supported. The former is used for LDAP simple binds, while the latter is used for LDAP SASL binds (as documented in RFC2829). To ensure compatibility with legacy systems, Active Directory also supports a third mechanism called “Sicily.” Sicily support adds three more choices to the AuthenticationChoice structure.

 AuthenticationChoice ::= CHOICE {
     simple                 [0]    OCTET STRING,
     sasl                   [3]    SaslCredentials
     sicilyPackageDiscovery [9]    OCTET STRING
     sicilyNegotiate        [10]   OCTET STRING
     sicilyResponse         [11]   OCTET STRING  }

The tables below provide a summary of the authentication protocols supported by each of the three authentication mechanisms and their relationship.

Authentication Mechanism: Simple

The basic authentication mechanism involves no other authentication protocols and is self-contained in describing the authentication process.

Authentication Mechanism: SASL

Authentication protocols

Comments

<p>
GSS-SPNEGO
</p>

GSS-SPNEGO employs either Kerberos or NTLM as its fundamental authentication protocol.

<p>
GSSAPI
</p>

Kerberos is the underlying authentication protocol that GSSAPI always utilizes.

<p>
EXTERNAL
</p>

<p>

</p>

<p>
DIGEST-MD5
</p>

<p>

</p>

Authentication Mechanism: Sicily

Authentication protocols

Comments

<p>
NTLM
</p>

<p>

</p>

Further elaboration on the three authentication mechanisms supported by Active Directory can be found in the upcoming sections.

Frequently Asked Questions

Posted in Uncategorized