Kerberos

Kerberos is the default authentication protocol for any recent version of Windows.

The general idea is that whenever a user wants to log into a service, they will be assigned a ticket. This ticket acts as a proof of previous authentication, which allows them to utilize a service by presenting it.

Kerberos authentication

Kerberos authentication involves 2 entities:

  1. The user to authenticate

  2. Key Distribution Center (KDC), a service usually installed on the Domain Controller

    • In charge of creating Kerberos tickets

Overview of important terms

  1. Ticket Granting Ticket (TGT)

  • a certain ticket that allows a user to request additional tickets (TGS) to access specific services without passing their credentials to the services themselves

  1. Ticket Granting Service (TGS)

  • tickets that only allow connection to specific service for which they are created

  1. Service Principal Name (SPN)

  • indicates the service and server name to access

  1. Session Key

  • returned by the KDC from the first TGT request

  • required for the subsequent TGS request

  1. Service Owner

  • user or machine account under which a particular service runs

  1. Service Session Key

  • a copy of this key will be contained within the encrypted TGS

  • it will be validated by the Service Owner (configured account running the service) when accessing that particular service

  1. Service Owner Hash

  • used to encrypt the TGS

  1. krbtgt account

The krbtgt account in Active Directory is a built-in account used by the Kerberos authentication service. It encrypts and signs all Kerberos tickets, enabling secure authentication within the domain.

The process is as follows:

  1. The user sends their username and a timestamp (encrypted using a key derived from their password) to the Key Distribution Center (KDC)

  2. The KDC will create a Ticket Granting Ticket (TGT), and send this along with a Session Key back to the user

    • The TGT allows the user to request for service tickets (needed to access a particular service) without passing their credentials then next time they want to access a service

    • The Session Key is required for access to a service too (discussed in detail below)

The TGT is encrypted using the krbtgt account's password hash, and it contains a copy of the Session Key as part of its contents.

  1. When the user wants to connect to a service on the network (eg. database, share), they will make a request to the KDC with their username, timestamp encrypted with the Session Key, TGT and a Service Principal Name (SPN).

  • The Session Key and TGT are retrieved from the previous requests

  • The SPN indicates the server and server name to access

  1. The KDC will create a Ticket Granting Service (TGS), and send this along with a Service Session Key back to the user

  • The TGS is encrypted using a key derived from the Service Owner Hash

  • The Service Owner is the user or machine account that the service runs with

Note that the TGS contains a copy of the Service Session Key in its encrypted content

  1. Finally, the user can use the TGS to make a request to the desired service on the network

  • The service will use its configured account's password hash to decrypt the TGS and validate the Service Session key

General overview

1

Request for Ticket Granting Ticker (TGT)

REQUEST

[User πŸ§‘β€πŸ’»] : username, timestamp (encrypted w key derived from password)

--> | KDC πŸ–₯|

RESPONSE

| KDC πŸ–₯|: TGT, Session Key --> [User πŸ§‘β€πŸ’»]

2

Request for Ticket Granting Service (TGS)

REQUEST

[User πŸ§‘β€πŸ’»] : username, timestamp (encrypted w Session Key), TGT, SPN --> | KDC πŸ–₯|

RESPONSE

| KDC πŸ–₯| : TGS, service Session Key ---> [User πŸ§‘β€πŸ’»]

3

User make a request to the desired service (eg. database)

REQUEST

[User πŸ§‘β€πŸ’»] : TGS --> | DBπŸ›’οΈ|: validate the Service Session Key encrypted within the TGS

Last updated