Kerberos Authentication Explained


Kerberos provides a centralized authentication server which functions to authenticate users to servers and servers to users. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal. Key Components for understanding the protocol are:
    Key Distribution Center (KDC)
    Ticket Granting Ticket (TGT)
    Ticket Granting Service (TGS)
3 Headed Dog (Cerberus) which guards the Active Directory

Key Terminologies

Key Distribution Center: A key distribution center (KDC) is a component in an access control system responsible for servicing user requests to access resources by supplying access tickets and session keys. The KDC will use cryptographic techniques to authenticate requesting users, lookup their permissions, and grant them a ticket permitting access. Provides the Service and User ticket (TGS & TGT) to the client upon verification. Kerberos partitions KDC functionality between two different agents
    The Authentication Server (AS) - The AS performs initial authentication when a user wants to access a service and issues Ticket Granting Ticket (TGT) for users.
    The Ticket Granting Service (TGS) - The TGS issues service tickets (Ticket Granting Service Ticket) that are based on the initial ticket-granting tickets (TGT)
Ticket Granting Ticket: It’s the initial authentication where the user is verified and KDC provides a ticket which is encrypted with KRBTGT account’s password. TGT is cached in the client’s machine and the client request for another ticket when it expires.
Ticket Granting Service: The Client requests TGS ticket using TGT and a session key. Upon verification KDC provides a ticket that is encrypted using Service Account’s password which is TGS ticket.

Protocol Flow

    When user tries to access a resource in AD environment, the user enters the password and the NTLM hash. This hash used to encrypt the current time stamp and send it to KDC. (AS-REQ).
    Upon verification in KDC, the KDC gives an response (AS-REP) which consist of Ticket Granting Ticket and Session Key
      TGT - Encrypted using the NTLM hash of KRBTG account
      Session Key - Encrypted using the user account
    This is done only once, it is redone only when the obtained TGT is expired on the client machine. Until then, this TGT ticket is stored in the memory of the client's machine.
    With the TGT ticket, the client machine request the TGS ticket for particular a service or resource (TS-REQ)
    Upon verification in KDC, the KDC gives the response TGS-REP which consist of TGS and Session Key. Here the TGS is encrypted using the NTLM hash of the service account.
    The client then connects to the server hosting the service on the appropriate port & presents the TGS Ticket (AP-REQ)
    The resource or the application server verifies it through confirming data objects PAC, then allows the user to access the service.
The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets (TGT and TGS) that contains useful information about a user’s privileges. This information is added to Kerberos tickets by a domain controller when a user authenticates while accessing a service within an Active Directory domain.
Pictorial Representation of Keberos Authentication Flow
Packet flow captured through wireshark


Last modified 5mo ago