Kerberos provides strong mutual authentication for client-server applications, forming the backbone of Windows Active Directory authentication and many enterprise single sign-on implementations.
Why it matters
- Passwords never traverse the network, eliminating credential interception risks.
- Enables single sign-on across network services without repeated authentication.
- Provides mutual authentication, verifying both client and server identities.
- Standard protocol for Windows domain authentication and many Linux/Unix environments.
Key concepts
- Key Distribution Center (KDC): Trusted server containing Authentication Server (AS) and Ticket Granting Server (TGS).
- Ticket Granting Ticket (TGT): Initial ticket obtained after authentication, used to request service tickets.
- Service Ticket: Credential presented to access a specific service.
- Principal: Unique identity for users, services, or hosts (user@REALM or service/host@REALM).
- Realm: Authentication administrative domain, typically uppercase domain name.
Authentication flow
- User authenticates to AS, receives TGT encrypted with user's password hash.
- User requests service ticket from TGS using TGT.
- TGS issues service ticket encrypted with target service's key.
- User presents service ticket to access the resource.
- Service decrypts ticket with its key, authenticates the user.
Security considerations
- Protect the KDC as compromise enables forging any ticket (Golden Ticket attack).
- Monitor for anomalous ticket requests indicating Pass-the-Ticket attacks.
- Implement strong password policies since TGTs are encrypted with password hashes.
- Use AES encryption instead of legacy RC4 to prevent cracking attacks.
- Synchronize time across all systems; Kerberos requires clocks within 5 minutes.
Common attacks and defenses
- Kerberoasting: Requesting service tickets for offline password cracking. Defend with strong service account passwords.
- Golden Ticket: Forged TGT using compromised KRBTGT hash. Defend by rotating KRBTGT password twice.
- Silver Ticket: Forged service ticket using compromised service account. Defend with Privileged Access Management.
- Pass-the-Ticket: Stolen ticket reuse. Defend with Credential Guard and ticket lifetime limits.
Related Articles
View all articles
Penetration Testing Methodology Workflow | Complete Pentest
Master the complete penetration testing lifecycle from pre-engagement to remediation validation. Learn PTES framework, ethical hacking methodology, vulnerability exploitation, and post-exploitation techniques with practical tools and industry best practices.
Read article →
Incident Response & Forensics Investigation Workflow: NIST & SANS Framework Guide
Learn the complete incident response workflow following NIST SP 800-61r3 and SANS 6-step methodology. From preparation to post-incident analysis, this guide covers evidence preservation, forensic collection, threat intelligence, and compliance reporting.
Read article →Explore More Identity & Access Management
View all termsAuthentication vs Authorization
Authentication verifies who you are, while authorization determines what you can do.
Read more →FIDO2
An open authentication standard that enables passwordless and phishing-resistant login using hardware security keys or platform authenticators.
Read more →Identity and Access Management (IAM)
The policies and technologies used to verify identities, govern permissions, and log access across systems.
Read more →LDAP (Lightweight Directory Access Protocol)
An open, vendor-neutral protocol for accessing and maintaining distributed directory services over a network.
Read more →Multi-Factor Authentication (MFA)
An authentication method that requires users to provide two or more verification factors to gain access.
Read more →OAuth (Open Authorization)
An open standard for delegated access authorization that allows applications to access user resources without exposing credentials.
Read more →