cancel
Showing results for 
Search instead for 
Did you mean: 

Difference between Active Directory / Windows NT and LDAP authentications

SOLVED
Highlighted
Occasional Contributor

Difference between Active Directory / Windows NT and LDAP authentications

Anyone that would like to explain a bit better the differences between AD/NT and LDAP Authentication against a Win2003 Domain Controller?

They seems really similar in functionality (they allow password expiration change, they allow single sign on, it's possible to create roles on domain/ldap groups and so on).

The only difference I saw is that using AD/NT I see traffic going to almost every DC in my Domain (but it seems it's not using the "right" on the site on which SA reside) while LDAP try to authenticate on defined ldap servers.

What's the real difference between them?

I saw that using AD/NT as primary authentication and RSA as secondary it use domain\user as <username> so RSA will not authenticate (checking on manual it seems I should use <NTUSER> instead of <USERNAME>).

There's any pro/con using AD/NT or LDAP?_

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Respected Contributor

Re: Difference between Active Directory / Windows NT and LDAP authentications

To add to what Kristof said: The AD/NT server instance uses samba to communicate with the domain controllers. As you observed, it will communicate with ALL the domain controllers in your domain; more if you enable trusted domains. This server instance joins itself to the domain in order to read group membership and allow the password change actions (if enabled). The LDAP server instance uses the LDAP protocol to communicate to the servers you define (only). I"m not sure if it is beneficial, but from a support stand-point, here is a base comparison of the two servers-- LDAP Pros-communicates to defined servers, can retrieve attributes for use in other policies, can search nested groups, can be granular in searching, "it just works," users receive password expiration notices and details if it fails, fast. Cons-Cannot do trusted domain auth; each AD domain needs it's own instance. More daunting initial configuration AD/NT-- Pros-Can authenticate across domains, less daunting initial configuration, and is "native" to the server environment Cons-Can't search nested groups, requires an admin account to remove/join domain, sensitive to any change on the backend or IVE OS, no attributes, no detailed password messages at expiration, no warning of pending expiration, searches all DCs, entirely, at login (slow). From a support perspective, unless there is a reason to use the AD/NT server instance, such as wanting a single auth server for trusted domain login, LDAP is the server that should be used. It is more powerful and gives you, as an admin, more flexibility.

View solution in original post

4 REPLIES 4
Highlighted
Contributor

Re: Difference between Active Directory / Windows NT and LDAP authentications

The answer to your question could be like a book in size.

LDAP is mainly used in case you want to do role mappings based on attributes in user accounts which is something you cannot do using AD as an authentication server. Please be sure to add the attributes you want to use or make sure they are in the LDAP Server catalog (Auth Servers > Your LDAP server > Server catalog option.) before using it in any of your role mapping rules.

What concerns your USER vs USERNAME : in every auth method the two are equal apart from LDAP where USER = DOMAIN\USERname (e.g. contoso\jdoe) and USERNAME = username (e.g. jdoe)

Thanks,

Kristof

Highlighted
Respected Contributor

Re: Difference between Active Directory / Windows NT and LDAP authentications

To add to what Kristof said: The AD/NT server instance uses samba to communicate with the domain controllers. As you observed, it will communicate with ALL the domain controllers in your domain; more if you enable trusted domains. This server instance joins itself to the domain in order to read group membership and allow the password change actions (if enabled). The LDAP server instance uses the LDAP protocol to communicate to the servers you define (only). I"m not sure if it is beneficial, but from a support stand-point, here is a base comparison of the two servers-- LDAP Pros-communicates to defined servers, can retrieve attributes for use in other policies, can search nested groups, can be granular in searching, "it just works," users receive password expiration notices and details if it fails, fast. Cons-Cannot do trusted domain auth; each AD domain needs it's own instance. More daunting initial configuration AD/NT-- Pros-Can authenticate across domains, less daunting initial configuration, and is "native" to the server environment Cons-Can't search nested groups, requires an admin account to remove/join domain, sensitive to any change on the backend or IVE OS, no attributes, no detailed password messages at expiration, no warning of pending expiration, searches all DCs, entirely, at login (slow). From a support perspective, unless there is a reason to use the AD/NT server instance, such as wanting a single auth server for trusted domain login, LDAP is the server that should be used. It is more powerful and gives you, as an admin, more flexibility.

View solution in original post

Highlighted
Occasional Contributor

Re: Difference between Active Directory / Windows NT and LDAP authentications

Thanks for the answer. So at the end it seems better to use LDAP Smiley Happy

Just a little clarification regarding single sign-on... What happen in regard of it?

Does LDAP Authentication then work with Kerberos/NTLM Single Sign-ON on internal web sites and Windows File Shares?

Highlighted
Respected Contributor

Re: Difference between Active Directory / Windows NT and LDAP authentications

Yes, if possible, LDAP is best.

SSO works without an issue to websites & file shares. The only thing that *may* change is if your login requires the domain to be specified you would need to provide it statically rather than have it included in the &lt;USER&gt; variable.