Kerberos

Kerberos is a client-server authentication protocol that enables mutual authentication –  both the user and the server verify each other’s identity – over non-secure network connections.  The protocol is resistant to eavesdropping and replay attacks, and requires a trusted third party.

The Kerberos protocol uses a symmetric key derived from the user password to securely exchange a session key for the client and server to use. A server component is known as a Ticket Granting Service (TGS) then issues a security token (AKA Ticket-Granting-Ticket TGT) that can be later used by the client to gain access to different services provided by a Service Server.

Frequently Asked Questions
What is Kerberos authentication?

Kerberos is a client-server authentication protocol that works over unsecured connections.

How Does Kerberos work?

Kerberos uses the client/user password to derive an initial encryption key that allows for the secure exchange of a session key. Once a secure connection is established the authentication server issues a ticket-granting-ticket (TGT) that can be used by the client to request access to protected services.

Which component in Active Directory performs authentication for Kerberos?

Windows 2000 and later use Kerberos as its default authentication method. Kerberos is used by Active Directory Domain Services (i.e. Domain Controller) as the default authentication protocol when joining a client to a Windows domain.

What type of protocol is Kerberos?

Kerberos is a mutual authentication protocol.