How Kerberos Works

The Kerberos credential scheme embodies the SSO concept. Secure authentication is based on previously established initial credentials, which eliminates the need to re-key a password on multiple occasions.

A Kerberos server consists of the following elements:

Realm - a user-defined administrative boundary.

Key Distribution Center (KDC) - the heart of the Kerberos realm. It provides Kerberos authentication services by issuing encrypted tickets that require secret keys to decode.

Principal - a unique name for a user or service stored in a KDC.

Tickets - records that help a client authenticate to a server.

Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the KDC. The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the KDC key, and sends the encrypted TGT back to the client. The client uses the TGT to obtain further service tickets, which provide the proof of the client's identity.

Users can also enable pre-authentication. When pre-authentication is enabled, a user must sign on to the KDC by providing knowledge of secret information. Once the identity of the user requesting for a ticket is confirmed, the KDC returns a set of initial credentials for the user, consisting of a ticket- granting-ticket (TGT) and a session key.

If a principal (user) needs to access any service located on a particular system, the

KDC issues a service ticket for the specific service. A service ticket can be associated with one or more Kerberos-secured services on the same system. The service ticket is usually used by a client application on behalf of the user, to authenticate the user to the Kerberos-secured network service. The Kerberized client application automatically handles the transactions with the KDC. Service tickets and associated session keys are generally cached in the user’s credentials cache file along with the user’s TGT.

Authentication Process

The following steps describe how a client and a server authenticate each other using Kerberos. The step numbers match with the numbered arrows in Figure 1 below.