What is Kerberos Authentication

Kerberos Authentication

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

It has the following characteristics:

  1. It is secure: it never sends a password unless it is encrypted.
  2. Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.
  3. The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.
  4. It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.
  • Kerberos introduces the concept of a Ticket-Granting Server (TGS).
  • A client that wishes to use a service has to receive a ticket – a time-limited cryptographic message – giving it access to the server.
  • Kerberos also requires an Authentication Server (AS) to verify clients.
  • The two servers combined make up a KDC(Key Distribution Center).Active Directory performs the functions of the KDC.
  • The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication.


  • Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT).
  • Step 2: The Authorization Server verifies the user’s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user’s password and sends a message back to the user workstation.
  • Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, real name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2.
  • Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server.
  • Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service.
  • Step 6: If mutual authentication is required, then the server will reply with a server authentication message.
  • The Kerberos server knows “secrets” (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information. These “secrets” are used to encrypt all of the messages shown in the figure above.

You may also like...

Leave a Reply