What Is Kerberos? How Does Kerberos Work & Kerberos Authentication?

Do you use Microsoft Windows/Active Directory or Amazon Web Services (AWS)? Then you have probably been using Kerberos without even knowing it!

This article explores what Kerberos is and how it operates.

Kerberos and its Components

Kerberos is a security or authentication protocol for computer network security. Developed in the 1980s by MIT for Project Athena, Kerberos has since found application in many operating systems and networks.

Kerberos functions with 3 actors and uses a Key Distribution Centre (KDC) as a third-party authorizer/ intermediary between the client and the internet. This router prevents privatenetwork access and is strengthened further by Kerberos' symmetric-key cryptography. Since most domain controllers (DCs)/network servers on the Active Directory Domain Services (ADDS) require and allow authentication for host access, Kerberos has found extensive use.

Kerberos Authentication

Before we can understand the authentication process, each of the 3 actors' functions must be understood.

  • The Client/User – The client-server requests access on the user's behalf, which is then transferred to the Application Server (AS).

  • Application Server  Hosts the service or resources the user wants access to.

  • Key Distribution Centre (KDC)  Consists of 3 sub-parts that handle the triple as, i.e., Authentication, Authorization, and Accounting, namely

    • Authentication Server (AS)

    • Kerberos Databased (KDB) – stores details of tested users, e.g., ID and password.

    • Ticket Granting Server (TGS) – the connecting link between a user and the target service.

Kerberos Authentication Workflow

These are broadly the stages by which Kerberos verifies a connection.

Stage 1 – The client-server requests the AS in the KDC to allocate a Ticket Granting Ticket (TGT).

Stage 2  The AS runs users' credentials, e.g., user ID and network address. Verified users' details are found as values by the AS in the centralized Kerberos Database. Once the values are verified, the AS generates a secret client key using the client's password hash, which is encrypted by a session key (SK1) and the TGT (which has information like the client ID, domain address, timestamp, SK1 and the lifetime of the ticket) are included. The AS also simultaneously generates a secret TGS key.

Stage 3 – The client receives the secret user key, decrypts the TGT and SK1, and sends the authenticators to TGS.

Stage 4  The KDC uses the TGS secret key to decrypt and get the TGT and SK1. TGS matches the authenticator to user credentials, and the validity of the timestamp is verified. If everything is in order, the KDC creates an encrypted service ticket that contains the next session key (SK2). SK2 is also sent to the network service to validate the user's request.

Stage 5  When the client decrypts the service ticket, SK2 and authenticator are received. These are then sent to the target server.

Stage 6  Finally, the target server uses SK2 to verify all client details and the service ticket authenticator. The target server relays a message to the client to confirm mutual authentication, granting a secure connection.

How does the Kerberos Encryption happen?

When creating a new account, you need to give different usernames and passwords. The username and Kerberos version number are combined to create a unique string called "salt" to maximize randomness. The secret key needs to share between the client and the target service, which, when matched, gives access.

Pros and Cons of Kerberos

Below are some strengths and weaknesses of this protocol:


  • Single Log-in and Access Control − Kerberos only needs a single login, after which renewal doesn't need re-iterating information. Single-point login is easier for user access and administrators, e.g., in business, to enforce security policies.

  • Reciprocal/Shared and Reusable Authentication − The user and the service authenticate each other, so both parties are assured that the other has been verified.

    Plus, once a user has been verified, the authentication is durable for the ticket lifespan, and personal information doesn't have to be given again for this period.

  • Straightforward Transparency − Simple logs of the client's name and timestamp are maintained for effortless auditing and transparency.

  • Versatile Security System − Kerberos uses several safeguard features in its security arsenal. These include cryptography, encrypted secret keys for each of the three entities, and third-party authentication (Multi-Factor Authentication). Passwords are never stored or sent across the network, and only the password hash is used, which makes impersonation harder.

  • Restricted Ticket Lifetime − The ticket issued by TGS only valid for a certain period, after which the administrator nullifies any attempts to access the target server.


  • Strict Synchronization − The client, KDC, and host site must be available at and configured to the same times and dates to prevent the ticket lifespan from expiring. Kerberos does give time leeway of about 5 minutes, after which the process has to be repeated due to relay attacks.

  • Cluster Hosting − Accessing multiple domains together requires simultaneous replication of the servers, or else all the access requests fail. Each client/device and network server need its own hostname and secret key as identifiers. Overlaps or duplications can cause login issues.

  • Centralized System − Kerberos is a centralized protocol, so single point attack can shut down the entire system, which makes a secondary/backup authentication mechanism necessary

  • Node Compliance − All devices, network services, and operating systems must be Kerberos -compatible. Both sides must be able to read and resolve NetBIOS and DNS addresses, as these are the most used Kerberos SPNs, and they need access to TCP and UDP 88 ports that handle traffic for Kerberos.


Kerberos isn't going anywhere for the foreseeable future. It is still reliable and continues to effectively shield users from unauthorized attacks. Kerberos has lasted this long despite technology and cyber-crime advances. Many large companies like Microsoft and Apple have Kerberos built into their operating systems. Plus, each operating system can use Kerberos as its foundational authentication protocol and customize its software security.