If you are using Mixed mode authentication, then you need to add the LDAP connection string. If you are using pure Windows authentication, just follow the docs and no LDAP connection string is needed. When authenticating against the AD, the user is using their AD credentials as usual. Kentico just needs to have the user account record, the user object in its DB, but the actual authentication is done against the AD. Kentico does not store any passwords in this case.