A network administrator needs to authenticate users accessing the internet through the firewall using Active Directory credentials. Which authentication method should be used to transparently authenticate users without requiring a browser-based captive portal?
Kerberos provides transparent authentication for domain users.
Why this answer
Kerberos is the correct choice because it enables transparent, single sign-on (SSO) authentication in a Windows Active Directory domain. When a user logs into their domain-joined workstation, Kerberos obtains a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC). The firewall can then use Kerberos authentication to verify the user's identity without requiring any browser-based captive portal, as the TGT or service ticket is presented automatically by the client.
Exam trap
The trap here is that candidates often confuse NTLM with Kerberos, assuming NTLM can also provide transparent SSO, but NTLM typically requires a browser-based challenge or fails in modern environments due to its lack of mutual authentication and reliance on weaker cryptographic methods.
How to eliminate wrong answers
Option A is wrong because LDAP is a directory access protocol used for querying and modifying directory services, not for transparent user authentication; it typically requires explicit credential submission or a bind operation. Option B is wrong because NTLM is a challenge-response authentication protocol that can work transparently in some scenarios, but it is older, less secure, and often requires a browser-based prompt or specific application support; it does not provide the seamless SSO experience that Kerberos offers in a modern AD environment. Option C is wrong because SAML is an XML-based federated identity protocol primarily used for web-based SSO across different domains; it inherently relies on a browser or HTTP redirect to a SAML identity provider, making it unsuitable for transparent authentication without a captive portal.