Kerberos Authentication Brief

What It Is

Kerberos is a ticket-based authentication protocol where a trusted third party — the Key Distribution Center (KDC) — brokers authentication between users and services. Users prove their identity once and receive encrypted tickets that grant access to specific services without re-transmitting passwords.

Three-Phase Flow

(1) AS exchange — user proves identity to the KDC, receives a TGT encrypted with the KDC's key. (2) TGS exchange — user presents TGT, receives a service ticket encrypted with the target service's key. (3) AP exchange — user presents the service ticket to the target service. Passwords never cross the wire.

Key Components

KDC — centralized authority (the domain controller) that issues all tickets and knows every account's secret key
TGT — identity ticket encrypted with the krbtgt key; used to request service tickets; typically valid for 10 hours
TGS ticket — service-specific ticket encrypted with the target service account's key
krbtgt account — the KDC's own account; its key encrypts every TGT; most sensitive account in the domain

Interview Phrasing

Kerberos is a ticket-based system where the KDC brokers authentication. The user authenticates once and receives a TGT, then uses it to request service-specific tickets. Passwords never cross the network. From an attacker's perspective, the tickets themselves become targets — if you can crack the key that protects a ticket, you can forge your own.

Common Pitfalls

Confusing authentication with authorization — Kerberos proves identity; the service decides access
Assuming Kerberos eliminates credential abuse — tickets and their encryption keys become the targets instead
Not understanding which key protects which ticket — TGT uses krbtgt key, TGS uses service account key; this maps directly to attack types
Thinking Kerberos is only relevant to defenders — every major AD attack targets a specific Kerberos design property