Authentication Protocol Domain Support (APDS) provides the required communication between a server and a domain controller (DC) that uses Netlogon interfaces ([MS-NRPC] section 3.2) to complete an authentication sequence.
An operating system can support a number of authentication protocols, such as NT LAN Manager (NTLM) Authentication Protocol, Kerberos, Secure Sockets Layer (SSL)/Transport Layer Security (TLS), and Digest authentication. Authentication Protocol Domain Support is used by NT LAN Manager (NTLM) and the Digest validation protocol to perform validation of the user's credentials at the domain controller. The Kerberos protocol uses Authentication Protocol Domain Support to perform the required communication for privilege attribute certificate (PAC) validation.
With the exception of Kerberos (which also relies on a mutually trusted third-party called Key Distribution Center (KDC) [MS-KILE]), all of these protocols can be supported by any server, relying only on a local user account database. Therefore, specifications for these protocols can stand entirely on their own. However, in a domain context, when the server is a member of a domain and relies on the domain account database, the domain controller contributes to the authentication and authorization processes.
Domain members use the Netlogon Remote Protocol [MS-NRPC] to communicate with the domain controller for purposes of authentication and authorization.
The implementations of these authentication protocols use a variety of methods to communicate with the domain controller in the course of their executions. These methods, collectively referred to as Authentication Protocol Domain Support, are specified in this document.
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. Sections 1.5 and 1.9 are also normative but do not contain those terms. All other sections and examples in this specification are informative.