Administering AD LDS Authentication and Access Control

This guide provides administrators with step-by-step instructions for managing Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS) authentication and access control.

Access control in (AD LDS) consists of two parts. First, AD LDS authenticates the identity of users who request access to the directory, yet allow only successfully authenticated users into the directory. Second, AD LDS uses security descriptors, called access control lists (ACLs), on directory objects to determine to which objects an authenticated user has access.

Users, or security principals, request directory data from AD LDS through directory-enabled applications, which in turn make requests to AD LDS by using Lightweight Directory Access Protocol (LDAP). Before making a request for data, the directory-enabled application must present the user's credentials to AD LDS for authentication, or binding. This request includes a user name, the client and server exchange information derived from the user’s password and — which depends on the type of bind — a domain name or computer name.

AD LDS can accept authentication, or bind, requests from both AD LDS security principals and Windows (local and domain) security principals. AD LDS security principals are authenticated directly by AD LDS. Local Windows security principals are authenticated by the local computer. Domain security principals must be authenticated by an Active Directory Domain Services (AD DS) domain controller.

For more information, see Introduction to Administering Authentication and Access Control.