Hello,
I need to authenticate to Active Directory using different credentials through the System.DirectoryServices.DirectoryEntry in a PowerShell-script. Security is a huge deal in the environment I'm working in, and I have not been able to find a clear answer on
this.
As the DirectoryEntry.AuthenticationType documentation says, since .NET Framework 2.0, the default AuthenticationType is "Secure". Now, apparently using the Secure AuthenticationType in a AD context means the following: "Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client." What I need to make sure of is that the credentials are not passed in clear-text over the network. Is it sufficient to rely on the Secure authentication type or should I specify additional AuthenticationTypes, in which case what would be the most secure combination?
Additionally to this, another security concern would be that the password would be stored in local memory until the next time the .NET garbage collection takes place, since there is no native method of disposing System.String. Can I use the System.GC.Collect-method to remove the clear-text passwords from memory? I've read that this is not good practice as it can potentially cause performance issues, but looking at this from a security-perspective, it may be worth looking into anyways if it can remove the string from memory.
I am not sure if this is the right forum to ask these kind of questions, but figured it would be worth a shot.
Thanks,
Andreas
