AD 인증 용어

   

출처: <http://www.mcmcse.com/microsoft/guides/kerberos.shtml>

   

   

   

   

Secure Attention Sequence (SAS)

A sequence of keys that begins the process of logging on or off. The default key sequence in Windows is CTRL+ALT+DEL. 

   

Windows NT LAN Manager (NTLM)

The NTLM protocol was the default for network authentication in Windows NT 4. It has been retained in Windows 2000 for compatibility with down-level clients and servers

. NTLM is also used to authenticate logons to standalone computers with Windows 2000. 

   

Graphical Identification and Authentication (GINA)

A Graphical Identification and Authentication DLL, or GINA DLL, is a replaceable component of Windows NT and Windows 2000 that performs identification and authentication of interactive users. The Microsoft standard GINA DLL that is shipped with Windows NT and Windows 2000 operating systems

 is "msgina.dll". Microsoft allows the replacement of "msgina.dll" to allow the use of multiple GINA DLLs. 

   

Local Security Authority (LSA)

A protected subsystem that authenticates and logs users onto the local system. In addition, the LSA maintains information about all aspects of local security on a system (collectively known as the local security policy), and provides various services for translation between names and identifiers. 

   

Ticket - Granting Ticket (TGT)

This ticket is received from the Authentication Service (SA) that contains the client's Privilege Attribute Certificate (PAC). 

   

Authentication Service (AS)

This service runs on the Key Distribution Centre (KDC) server. It authenticates a client logon and issues a Ticket Granting Ticket (TGT) for future authentication. 

   

Ticket Granting Service (TGS)

This service runs on the KDC server. It grants tickets to TGT holding clients for a specific application server or resource. 

   

Ticket

This ticket is received from the TGS that provides authentication for a specific application server or resource. 

   

Session Key

This is the derived value used strictly for the immediate session between a client and a resource. 

   

Privilege Attribute Certificate (PAC)

This is strictly used in Windows 2000 Kerberos authentication. It contains information such as the user's Security ID (SID), group membership SIDs, and users' rights on the domain. 

   

Winlogon

A component of the Windows NT/Windows 2000/Windows XP operating system

 that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a Graphical Identification and Authentication dynamic-link library (DLL). 

   

Kerberos Security Support Provider (Kerberos SSP)

The Kerberos authentication protocol is implemented as a security support provider (SSP) that is supplied with the operating system. Windows 2000 also includes an SSP for NTLM authentication. By default, both the Kerberos protocol and the NTLM protocol are loaded by the LSA on a computer that is running Windows 2000 when the system starts. 

   

Key Distribution Centre (KDC)

The service which implements Kerberos authentication via the Authentication Service (AS) and the Ticket Granting Service (TGS). The KDC has a copy of every encryption key associated with every principal. Most KDC implementations store the principals in a database, also known as the Kerberos database.