Setting up AD integration
It is common to see internal-facing applications leveraging Active Directory Domain Services (AD DS) integration. This is because it makes it easier for developers, sysadmins, and security consultants to offload the authentication/authorization to a well-known directory service as well as keep seamless access to the application with the existing end-user identity. To leverage this integration, both the client side (desktop) and server side (server) must be part of the same AD domain or forest, or different forests with a trust relationship, so that Kerberos tickets can be exchanged.
The following diagram is a high-level example of how a user can leverage an existing Kerberos ticket to access network resources; a domain joined in the same Kerberos realm:
Figure 5.1 – High-level overview of user authentication/authorization using AD
In order to use AD integration with Windows applications, the application needs to be designed...
