What is Secure Channel in AD?
In Windows AD environments, secure channel provides an encrypted way of communication between clients and domain controllers. By clients I mean different editions of operating systems including client’s operating systems like Windows 10/8/7/vista/XP or server operating systems which operate as Domain Controllers or member servers.
In another word when there is no secure channel between a client and a domain controller there will be no completed Active Directory related tasks and as a matter of fact lack of secure channel existence or broken secure channel will fail everything related to domain. Group Policy and Computer authentication is case in point.
Different types of secure channel
Basically there are three types of secure channels.
The first one is for communication between clients in a domain and domain controllers. This type of secure channel is established between a client computer and a domain controller in a domain.
The second type of secure channel is responsible to establish a secure communication between domain controllers of a source domain and domain controllers of a trusted domain.
And the last one is responsible for establishing a secure path between domain controllers in the same domain.
How Secure Channel operates in AD
Different credentials are used during establishing a secure channel for each type. It is a misunderstanding, believed by many, that during the establishment of a secure channel, a user account is authenticated. The only account that is used in this process is the computer account of the requester.
Since Active Directory has an automatic mechanism for computer accounts and their represented passwords I will cover what will happen in the background briefly.
Every computer account in Active Directory needs authentication and this requires a password. Once the computer is joined to a domain it will propose a password for its authentication in Active Directory. This mechanism is completely automated and Active Directory has no responsibility in this process.
By default the machine account password change is initiated by computer itself every 30 days.
However you can modify this value from Group Policy by navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age and specify your value. It is worth mentioning that computer accounts passwords do not expire in Active Directory. They are exempted from domain password policy.
The service responsible for establishing secure channel is NetLogon. When the computer is started and as soon as the Netlogon service becomes available it will start to establish a secure channel between the computer and domain controller.
There are three important parameters which Netlogon will use during this process:
- ScavengeInterval: determines how often the NetLogon service checks the password expiration on secure channels. Default value is 15 minutes. For an overview of other responsibilities of this parameter you can refer to the Useful Links section.
- MaximumPasswordAge: determines how often the system changes the computer account password of the local computer. Default value is 30 days.
- DisablePasswordChange: You can prevent automatic password changes by setting the value of this entry to 1. Default value is 0.
If you need to change the above values, you can modify them using the methods below:
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options\Domain member: Disable machine account Password changes
Computer Configuration\Administrative Templates\System\Netlogon\Scavenge Interval
Computer Configuration\windows Settings\Security settings\Local Policies\Security Options\ Domain member: Maximum machine account Password age.
When the NetLogon service starts, the ScavengeInterval service checks if the password is not older than MaximumPasswordAge. Otherwise it attempts to change the computer password. After finding a domain controller, client and server will create a secure channel by exchanging and validating challenge and response. The process is as follows:
- Client invokes the NetrServerReqChallanger() in order to request a challenge from the server. Also it sends a client challenge and computer name and domain controller name to the domain controller.
- Domain controller receives the request from the client and replies with his server challenge withNetrServerReqChallanger() to the client.
- At this point both client and domain controller generates a session key for secure channel.
- The client invokes NetrServerAuthenticate3() and generate a client response and send it to the domain controller.
- The server receives the client response and will decide whether secure channel can be established or not based on client response and session key provided by both sides.