Kerberos is a distributed, ticket-based authentication service. It can be used for secure authentication in TCP/IP networks and provides users with tickets to use services. Passwords no longer need to be transmitted over the network. Microsoft uses Kerberos as the default authentication method in Windows-based networks. Kerberos was developed at the Massachusetts Institute of Technology.
What is Kerberos?
Kerberos is an authentication service for TCP/IP-based networks. The name “Kerberos” is derived from Greek mythology and names the three-headed hellhound “Cerberus”, the guardian at the entrance to the underworld. The authentication service was developed at the Massachusetts Institute of Technology (MIT) as part of Project Athena in the late 1980s.
The actual authentication is performed by a trusted third party. Clients receive encrypted tickets with which they authenticate themselves to the various services. Passwords no longer have to be transmitted over the network. Thanks to single sign-on support, it is sufficient for a user to log on to a central Key Distribution Center (KDC) only once. Further authentications to individual services take place without any interaction on the part of the user. The technical details of the authentication service and the authentication process are specified in RFC 4120.
Kerberos is available from MIT as a client and server version. In addition, numerous other free or commercial implementations exist. In Windows and Unix networks, Kerberos is one of the most widely used protocols for single sign-on. Microsoft has used the authentication service as a standard protocol in Windows-based networks since the Windows server version 2000/2003 and the client version Windows 2000/XP. Kerberos keys are stored in Active Directory. Implementations also exist for other operating systems such as macOS, Linux, and FreeBSD.
Authentication process and components involved
To use Kerberos, both the client and the addressed service must be able to handle the issued tickets. Software components are required on the client machine and at the service provider. In addition, the trusted third party, the Kerberos server, must exist.
A central component is the Key Distribution Center (KDC) for generating and managing Kerberos session keys. It consists of the Authentication Server (AS) and the Ticket Granting Server (TGS). The Authentication Server handles the authentication of users and issues them Ticket Granting Tickets (TGT).
The Ticket Granting Server’s task is to issue tickets for access to the individual services. It receives a TGT from the user as proof of his authentication with the AS. In principle, the AS and TGS can be installed on different systems. However, they are often located on the same server.
In simplified terms, the authentication and service usage process are as follows:
- Client first authenticates itself to the AS with its user data
- AS issues a TGT to the client
- To authenticate to a service, the client sends the TGT with the service principal name (SPN) to the ticket granting server.
- KDC confirms to the TGS that the requesting client is allowed to access the service
- TGS issues the actual ticket for the service to be used and sends it to the client
- Client sends the ticket to the service to prove its access authorization
- The service accepts the ticket and grants access.
Both the TGT and the actual service ticket are time-stamped. If the usage time of a ticket is exceeded, new authentications must be performed at the AS or TGS. As a rule, service tickets are valid for several hours. The client makes all requests to the service during this time with the same service ticket. The parties involved synchronize their system times via services such as NTP (Network Time Protocol).