When it comes to identity management, a directory is a repository of accounts. An account represents an entity with attributes and an identity to identify it uniquely. Password, as an authenticator, is the most commonly implemented authentication factor, something you know, so password breach results in a severe business impact.
Protecting passwords at rest, in transit, and in use is crucial. The account database can exist as a system file, registry, data structure in the memory, backup file in tapes, or in any ephemeral or persistent form in any storage. Understanding how operating systems store, convey, and cacheauthenticators (the password itself or its derivatives) for authentication is critical to minimizing the attack vectors and surface.
Kerberos comprises three architectural elements: client, server (aka AP, application server), and Key Distribution Center (KDC). The KDC comprises two servers: Authentication Server (AS) and Ticket-Granting Server (TGS). Kerberos uses a request/response model that defines the messages exchanged between the client, server, and KDC. Major Kerberos messages are listed as follows:
Client and AS: KRB_AS_REQ (1) and KRB_AS_REP (2)
Client and TGS: KRB_TGS_REQ (3) and KRB_TGS_REP (4)
Outputs are the results of initiatives, activities, processes, or functions, while outcomes are outputs that deliver value, resulting from benefits subtracted by costs. From the PMI perspective, organizations typically group initiatives into projects, programs, and portfolios, which are core elements of a strategy.