← Back to Certificate-Based Authentication

Certificate-Based Authentication Brief


How It Works

PKINIT is a Kerberos extension that allows a client to present a certificate instead of a password during initial authentication. The KDC returns a standard TGT, functionally identical to one obtained through a password. Schannel provides an alternative path via TLS, primarily over LDAPS.

Mental Model

Password-based Kerberos is the front door. PKINIT is a side door. Schannel is a third door. All lead to the same building. Once inside, it does not matter which door you used: the TGT works the same way.

Key Properties

  • Certificate must be signed by a CA in NTAuthCertificates
  • Certificate must have an authentication-capable EKU
  • TGT from PKINIT is identical to password-based TGT
  • Certificates survive password changes, valid until expiry or revocation
  • Schannel over LDAPS provides fallback when PKINIT is unavailable

Common Confusion

  • Certificate-based auth is the same as smart card auth: smart cards are one delivery mechanism; PKINIT works with any qualifying certificate
  • Password rotation invalidates certificates: it does not; certificates are independent of passwords
  • PKINIT is separate from Kerberos: it is an extension of Kerberos, producing the same TGT
  • Schannel is rarely useful: LDAPS is commonly available and LDAP access is enough to escalate privileges

Interview Phrasing

Certificates authenticate through PKINIT, same TGT as passwords. A certificate is functionally a credential. It survives password resets, can be valid for months or years, and looks like normal Kerberos traffic. If an attacker controls certificate issuance, they control authentication.