Certificate-Based Authentication Brief
How It Works
PKINIT is a Kerberos extension that allows a client to present a certificate instead of a password during initial authentication. The KDC returns a standard TGT, functionally identical to one obtained through a password. Schannel provides an alternative path via TLS, primarily over LDAPS.
Mental Model
Password-based Kerberos is the front door. PKINIT is a side door. Schannel is a third door. All lead to the same building. Once inside, it does not matter which door you used: the TGT works the same way.
Key Properties
- Certificate must be signed by a CA in NTAuthCertificates
- Certificate must have an authentication-capable EKU
- TGT from PKINIT is identical to password-based TGT
- Certificates survive password changes, valid until expiry or revocation
- Schannel over LDAPS provides fallback when PKINIT is unavailable
Common Confusion
- Certificate-based auth is the same as smart card auth: smart cards are one delivery mechanism; PKINIT works with any qualifying certificate
- Password rotation invalidates certificates: it does not; certificates are independent of passwords
- PKINIT is separate from Kerberos: it is an extension of Kerberos, producing the same TGT
- Schannel is rarely useful: LDAPS is commonly available and LDAP access is enough to escalate privileges
Interview Phrasing
Certificates authenticate through PKINIT, same TGT as passwords. A certificate is functionally a credential. It survives password resets, can be valid for months or years, and looks like normal Kerberos traffic. If an attacker controls certificate issuance, they control authentication.