Open in app

Sign up

Sign in

Write

Sign up

Sign in

Kerberos Authentication in Active Directory

Hacktivities
InfoSec Write-ups
Published in
4 min readMay 24, 2022

--

This article provides a basic overview of how the Kerberos authentication protocol works. In this article, we will explore the basic functionality of Kerberos and how it is used in Active Directory. Kerberos is a large topic and this article will only cover the fundamentals, so with that being said, lets dive in!

What is Kerberos?

In my last article titled “Active Directory Overview”, I briefly mentioned that there were two main types of authentication in place for Active Directory, namely NTLM and Kerberos. Microsoft provides the following description for Kerberos:

Kerberos is an authentication protocol that is used to verify the identity of a user or host.

Kerberos is a computer-network authentication protocol designed to identify each user, who provides a secret password. Kerberos is used in Active Directory to provide information about the privileges of each user, however it does not perform authorization. It is the responsibility of each service to determine if the user has access to its resources and Kerberos does not validate which resource or service a user can access.

Why is Kerberos Used?

It is widely used due to it’s many benefits, a few of which are listed below.

  • Secure: Kerberos never transmits passwords over the network.
  • Single-Sign-On: Kerberos only requires the user to type their password once when first authenticating the client.
  • Trusted third-party: Kerberos uses a centralized authentication server known as the Key Distribution Center (KDC) that all other devices in the network trust by default. This outsourcing ensures that sensitive information is not stored on a local machine.
  • Mutual authentication: In Kerberos, both ends of communication must be authenticated before the communication is permitted.

What are the Core Components of Kerberos?

The following terminology is often used when discussing the core components of Kerberos.

  • Kerberos Realm: a logical network, similar to a domain, over which a Kerberos authentication server has the authority to authenticate a user, host or service.
  • Key Distribution Centre (KDC): contains the Authentication Server (AS) and the Ticket Granting Service (TGS). Its main function is to be a mediator between these two, relaying messages from the AS, grants a ticket-granting ticket (TGT), then passing that to be encrypted by the TGS. The KDC for a domain is located on a domain controller.
  • Authentication Server (AS): a client authenticates themselves to the AS using a username and password login. The AS then forwards the username to the KDC that in turn grants a TGT.
  • Ticket Granting Service (TGS): when a client wants to access a service, they must present their TGT to the TGS.
  • Service Principal Name (SPN): an identifier given to a service instance to associate a service instance with a domain service account.

The diagram below illustrates how these components are pieced together.

Overview of Kerberos Components.

What are Kerberos Tickets?

The main structures handled by Kerberos are the tickets. These tickets are delivered to the users in order to be used by them to perform several actions in the Kerberos realm. There are 2 types:

  • The TGS (Ticket Granting Service) is the ticket which user can use to authenticate against a service. It is encrypted with the service key.
  • The TGT (Ticket Granting Ticket) is granted by the KDC after the client is successfully authenticated. It is presented to the KDC to request for TGSs and is encrypted with the KDC key.

How Does Kerberos Authentication Work in an AD Environment?

There are a series of steps performed during the Kerberos authentication process, but in real-time, the process is very quick. The steps below outline how Kerberos authentication works in Active Directory.

  1. When a user logs on to Active Directory, the user authenticates to the Authentication Server (AS) located on the Domain Controller (DC) using the user’s password which of course the DC knows.
  2. The DC sends the user a Ticket Granting Ticket (TGT) Kerberos ticket for the realm Kerberos has authority to authenticate for. The TGT is then cached on the users computer for later use and presented to any DC to prove authentication for Kerberos service tickets.
  3. The user decides they want to access the Skype service, which causes the user’s workstation to lookup the Service Principal Name (SPN) for the user’s exchange server.
  4. Once the SPN is identified, the computer communicates with the DC again and presents the user’s TGT as well as the SPN to the Ticket Granting Service for the resource to which the user needs to communicate.
  5. The DC replies with the Ticket Granting Service (TGS) Kerberos service ticket.
  6. The user’s workstation presents the TGS to the Exchange server for access.
  7. Skype connects successfully.

The sequence diagram below illustrates the steps outlined above.

Kerberos Authentication Sequence Diagram example.

Closing Remarks

Hopefully this short article on Kerberos has helped provide a basic overview of what it is and how it works. Kerberos is a massive topic that is worth knowing more about and is used widely by the majority of large companies that utilize Active Directory. Thank you for reading till the end and keep hacking! 😄

Kerberos
Active Directory
Network Security
Cybersecurity
Technology

--

--

Hacktivities
InfoSec Write-ups
Follow

Written by Hacktivities

3.9K Followers

Interested in all things Cyber Security and Technology.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams