20Ara
Hashed Password Kerberos PKDF2 AES – ActiveDirectory
I know that in Active Directory environments passwords are stored in the form of hashes depending on encryption types used in the environment.
I understand also that when using AES as a symmetric encryption type, the user password goes through PKDF2 first which generates a key derived from the password, salt included.
Now my question is, when does AES come into play here? We get the key but what do we do with said key afterwards? What is it sent to the domain controller for verification? How does the domain controller before hand get the AES key to compare it with what the client sends?
If there is a different randomly generated AES key to use to encrpyt the hashed password, in what moment is it created?
