Traditional Authentication of application with AD

How to authentication happen, when Application directly get authenticated user with AD?

Application connects to AD to authenticate user then AD validate user credentials and send back to
application with Kerberos ticket then user can access the application.

The Kerberos ticket has three information’s: -

1. User Account SID

2. Groups SID (if user account member)
3. Authentication time stamp

Note: - Kerberos ticket cannot be modified it mean that cannot add or remove any AD attributes in the
Kerberos ticket.

So Traditional Authentication of application with AD happens by Kerberos ticket.

Claim aware application authentication with AD.

The claim aware application authentication happens with token. The token has any AD attributes of the
users such as email address, Samaccountname, UPN department etc.

When a user account is created in AD then some AD attributes automatically are created. Once user
account has created, another AD attributes can be added in users account properties manually.

How to happen authentication of claim aware application?

1. The claim aware application generate claim for authentication to ADFS (the claim has AD
Attributes which need to validate)
2. ADFS receives claim from application and send to AD for authentication
 3. AD validate authentication and send back to ADFS with Kerberos ticket
4. ADFS receive Kerberos ticket and customize the Kerberos ticket for add the required AD
attribute. Once ADFS service add required AD attribute then send back token application with
required AD attributes.

ADFS Methods: -

Example: -

1. One application needs user name, email, location name to authenticate user in this case ADFS
receive claim from application and get authenticate with AD and send back token to application
with AD attributes user name, email, location name.
 2. Second application needs user name, email, department name to authenticate user in this case
ADFS receive claim from application and get authenticate with AD and send back token to
application with AD attributes user name, email, department name.

What is different between Kerberos ticket and ADFS token?

Kerberos ticket

 Includes group and account SID.

 Application needs to contact AD directly
 No Customization available for different set of attributes getting issued to an application.

ADFS token

 Any attribute that is populated for a user object can be sent in token.
 Placed in (ADFS) between active directory and application.
 Customization is available with help of different claim rules