Skip to main content

Kerberos

A network authentication protocol designed to provide secure authentication over unsecured networks.

Kerberos uses a ticketing system to allow hosts on a network to prove their identity to each other securely. It's named after the guard dog of the Greek underworld with three heads. It requires the use of a Key-Distribution-Center (KDC) and has three main systems:

  • Authentication Service: handles user authentication when accessing services
  • Ticket Granting Service: connects the user to the service once authenticated
  • Kerberos Database: Where user IDs and passwords are stored, usually on an Lightweight-Directory-Access-Protocol or the Security Account Manager in the Active-Directory context.

Authentication w/ Kerberos

When the user first signs in with their credentials, the following information is sent to the KDC:

  • a Security Identifier (SID)
  • the name of the requested server (e.g. example.mydomain.loc)
  • the user's IP address
  • the requested lifetime of the Ticket-Granting-Ticket (TGT)

*The TGT acts as a "hall pass" that grants the user access to their requested service(s) without having them repeatedly enter their credentials for authentication purposes.

Kerberos can also be used with smart cards. In this case, the chip inside the smart card stores an encryption keypair and a digital certificate, issued by the authenticating domain.

Back to top