← Back to Kerberos Authentication

Kerberos Authentication Brief


What It Is

Kerberos is a ticket-based authentication protocol where a trusted third party, the Key Distribution Center (KDC), brokers authentication between users and services. Users prove their identity once and receive encrypted tickets that grant access to specific services without re-transmitting passwords.

Three-Phase Flow

(1) AS exchange: user proves identity to the KDC, receives a TGT encrypted with the KDC's key. (2) TGS exchange: user presents TGT, receives a service ticket encrypted with the target service's key. (3) AP exchange: user presents the service ticket to the target service. Passwords never cross the wire.

Key Components

  • KDC: centralized authority (the domain controller) that issues all tickets and knows every account's secret key
  • TGT: identity ticket encrypted with the krbtgt key; used to request service tickets; typically valid for 10 hours
  • TGS ticket: service-specific ticket encrypted with the target service account's key
  • krbtgt account: the KDC's own account; its key encrypts every TGT; most sensitive account in the domain

Interview Phrasing

Kerberos is a ticket-based system where the KDC brokers authentication. The user authenticates once and receives a TGT, then uses it to request service-specific tickets. Passwords never cross the network. From an attacker's perspective, the tickets themselves become targets, and if you can crack the key that protects a ticket, you can forge your own.

Common Pitfalls

  • Confusing authentication with authorization: Kerberos proves identity; the service decides access
  • Assuming Kerberos eliminates credential abuse: tickets and their encryption keys become the targets instead
  • Not understanding which key protects which ticket: TGT uses krbtgt key, TGS uses service account key; this maps directly to attack types
  • Thinking Kerberos is only relevant to defenders: every major AD attack targets a specific Kerberos design property