Kerberos Authentication

Kerberos is the authentication protocol used by Active Directory. It uses tickets to prove identity without sending passwords over the network. Three entities: the client, the Key Distribution Center (KDC), and the service server.

Ready Click Next Step to walk through the Kerberos authentication flow.

Kerberos State

Client

IDLE

KDC/AS

WAITING

KDC/TGS

WAITING

Service

WAITING

Ticket Information

Type -

Encrypted with -

Contains -

Expiry -

Key Insight

          Passwords stay on client

          Tickets are time-limited (10hr default)

          Replay protection via timestamps

Event Log