Active Directory Authentication – DigitalMunition




Active Directory Authentication

Home Forums Active Directory Authentication

This topic contains 0 replies, has 1 voice, and was last updated by  BrianMiz 4 weeks, 1 day ago.

  • Author
    Posts
  • #147644

    BrianMiz
    Member

    I was reading about where AD passwords were stored, and I came across a discussion at Microsoft technet forum where the answer was “The password is stored in the AD and LDS database on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search.”

    I also read that when a user tries to login, an Authentication Service Request is sent with encrypted timestamp of the user’s password hash and the Domain Controller then decrypts the timestamp using the user’s locally-stored password hash.

    What beats me is, how is the hash retrieved if it cannot be read or queried by search? I would highly appreciate any further resources to understand this authentication flow better. 🙂

You must be logged in to reply to this topic.