Home » Directory Services a.k.a Active Directory! » New DC with Old Name and IP » RODC and it’s Authentication Mechanisms

RODC and it’s Authentication Mechanisms

Start here

Hi All,

Just wanted to explain the authentication steps involved in RODC deployments.  🙂

Read only Domain Controllers (RODC) can be deployed in sites where we don’t have a physical security of Domain Controller. Since AD works on multi-master replication, if someone hacks that domain controller and make some changes to ntds.dit and put it back to network again, it will corrupt the entire AD domain.  

In these cases, we can deploy RODC in those sites.

How it secures AD?
All replication to RODC are one way. It means, RODC always recieve only in-bound replication. It doesn’t replicate anything to any other DC’s. No out bound replication.

Points to remember before deploying: -)

We need to Cache both user and computer accounts in RODC, only then authentication will succeed in case of WAN failure

Each and every domain controller (including RODC) has its unique domain KRBTGT account and it’s replicated to each and every Domain Controller in domain
All RODC KRBTGT account is replicated to all RWDC’s in domain
RWDC’s KRBTGT account will not be replicated to any RODC  in domain

To issue a valid kerberos ticket to user/computer , that user/computer kereberos ticket must be signed with its respective domain controller KRBTGT account. If a domain controller recieves a ticket request signed by some other Domain controller’s KRBTGT account, it will request the user/computer to generate a new ticket again so that it can issue a valid ticket.

Click here to view : Sites with RWDC and RODC

Phase 1 : – Computer Authentication
Computer contacts RODC by issuing a KRB_AS_REQ ticket
Since RODC doesn’t have computer account password cached locally, it forwards the request to RWDC
RWDC responds with KRB_AS_REP signed with domain KRBTGT account
Now, RODC again checks with RWDC to confirm if this computer account password can be cached locally? Let’s assume yes and then it stores the computer password

Phase 2 : User Authentication
User contacts RODC by granting a  KRB_AS_REQ ticket
Since RODC doesnt have the user’s password cached locally it forwards the request to RWDC
RWDC responds with KRB_AS_REP signed with domain KRBTGT account
Now, RODC again checks with RWDC to confirm if this user account password can be cached locally? Let’s assume yes and then it stores the user password in local RODC database

Phase 3 : Service Ticket
For user to use his computer he should have Ticket Granting Service (TGS) ticket.
Now Computer generates TGS with user’s KRBTGT and forwards to RODC by issuing a KRB_TGS_REQ
RODC can’t decrypt TGT of user because it is signed with domain KRBTGT account
So, it forwards to RWDC. RWDC responds back with KRB_TGS_REP

Now, RODC rather forwarding this TGS ticket to computer directly ,it makes the user to generate a new KRB_AS_REQ because it doesn’t have to rely on RWDC for authentication next time. Also, remember each and every kerberos ticket should be signed with respective DC’s KRBTGT account.

Now again KRB_AS_REQ is generated for user , since password is already cached, RODC itself responds with KRB_AS_REP with RODC krbtgt account
Now again new TGS ticket is generated with KRB_TGS_REQ with user’s KRBTGT account.
This time RODC able to issue KRB_TGS_REP allows user to access his computer

All 3 Phases will happen for all user and computer accounts when they contact  RODC first time. However during subsequent attempts, KRB_AS_REQ for user and  computer account will be directly responded by RODC because computer and user accounts passwords are locally cached on RODC itself.

It may be a lengthy post as it seems ,but if you go through slowly you would be able to understand clearly.. 🙂

Hope it is clear and useful! 🙂 Comments are always welcome! 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: