Home/Glossary/Kerberos

Kerberos

A network authentication protocol that uses secret-key cryptography and trusted third parties to verify user and service identities without transmitting passwords.

Identity & Access ManagementAlso called: "Kerberos protocol", "Kerberos authentication"

Kerberos provides strong mutual authentication for client-server applications, forming the backbone of Windows Active Directory authentication and many enterprise single sign-on implementations.

Why it matters

  • Passwords never traverse the network, eliminating credential interception risks.
  • Enables single sign-on across network services without repeated authentication.
  • Provides mutual authentication, verifying both client and server identities.
  • Standard protocol for Windows domain authentication and many Linux/Unix environments.

Key concepts

  • Key Distribution Center (KDC): Trusted server containing Authentication Server (AS) and Ticket Granting Server (TGS).
  • Ticket Granting Ticket (TGT): Initial ticket obtained after authentication, used to request service tickets.
  • Service Ticket: Credential presented to access a specific service.
  • Principal: Unique identity for users, services, or hosts (user@REALM or service/host@REALM).
  • Realm: Authentication administrative domain, typically uppercase domain name.

Authentication flow

  1. User authenticates to AS, receives TGT encrypted with user's password hash.
  2. User requests service ticket from TGS using TGT.
  3. TGS issues service ticket encrypted with target service's key.
  4. User presents service ticket to access the resource.
  5. Service decrypts ticket with its key, authenticates the user.

Security considerations

  • Protect the KDC as compromise enables forging any ticket (Golden Ticket attack).
  • Monitor for anomalous ticket requests indicating Pass-the-Ticket attacks.
  • Implement strong password policies since TGTs are encrypted with password hashes.
  • Use AES encryption instead of legacy RC4 to prevent cracking attacks.
  • Synchronize time across all systems; Kerberos requires clocks within 5 minutes.

Common attacks and defenses

  • Kerberoasting: Requesting service tickets for offline password cracking. Defend with strong service account passwords.
  • Golden Ticket: Forged TGT using compromised KRBTGT hash. Defend by rotating KRBTGT password twice.
  • Silver Ticket: Forged service ticket using compromised service account. Defend with Privileged Access Management.
  • Pass-the-Ticket: Stolen ticket reuse. Defend with Credential Guard and ticket lifetime limits.

Related Articles

View all articles
Azure AD Is Now Microsoft Entra ID: What Changed and What It Means

Azure AD Is Now Microsoft Entra ID: What Changed and What It Means

Microsoft renamed Azure Active Directory to Microsoft Entra ID. Learn what changed, what stayed the same, and how this affects your organization's identity management.

Read article →
Penetration Testing Methodology Workflow | Complete Pentest

Penetration Testing Methodology Workflow | Complete Pentest

Master the complete penetration testing lifecycle from pre-engagement to remediation validation. Learn PTES framework, ethical hacking methodology, vulnerability exploitation, and post-exploitation techniques with practical tools and industry best practices.

Read article →
PostgreSQL vs MySQL: Database Security Comparison for Enterprises

PostgreSQL vs MySQL: Database Security Comparison for Enterprises

Compare PostgreSQL and MySQL security features including authentication, access control, encryption, auditing, and compliance capabilities. Guide for enterprise database selection.

Read article →
Incident Response & Forensics Investigation Workflow: NIST & SANS Framework Guide

Incident Response & Forensics Investigation Workflow: NIST & SANS Framework Guide

Learn the complete incident response workflow following NIST SP 800-61r3 and SANS 6-step methodology. From preparation to post-incident analysis, this guide covers evidence preservation, forensic collection, threat intelligence, and compliance reporting.

Read article →

Explore More Identity & Access Management

View all terms

Authentication vs Authorization

Authentication verifies who you are, while authorization determines what you can do.

Read more →

FIDO2

An open authentication standard that enables passwordless and phishing-resistant login using hardware security keys or platform authenticators.

Read more →

Identity and Access Management (IAM)

The policies and technologies used to verify identities, govern permissions, and log access across systems.

Read more →

LDAP (Lightweight Directory Access Protocol)

An open, vendor-neutral protocol for accessing and maintaining distributed directory services over a network.

Read more →

Multi-Factor Authentication (MFA)

An authentication method that requires users to provide two or more verification factors to gain access.

Read more →

OAuth (Open Authorization)

An open standard for delegated access authorization that allows applications to access user resources without exposing credentials.

Read more →
Back to glossary