Kerberos
Kerberos is the default authentication protocol for any recent version of Windows.
The general idea is that whenever a user wants to log into a service, they will be assigned a ticket. This ticket acts as a proof of previous authentication, which allows them to utilize a service by presenting it.
Kerberos authentication
Kerberos authentication involves 2 entities:
The user to authenticate
Key Distribution Center (KDC), a service usually installed on the Domain Controller
In charge of creating Kerberos tickets
The process is as follows:
The user sends their username and a timestamp (encrypted using a key derived from their password) to the Key Distribution Center (KDC) described above
The KDC will create a Ticket Granting Ticket (TGT), and send this along with a session key back to the user
The TGT allows the user to request for service tickets (needed to access a particular service) without passing their credentials then next time they want to access a service
The session key is required for access to a service too (discussed in detail below)
When the user wants to connect to a service on the network (eg. database, share), they will make a request to the KDC with their username, timestamp encrypted with the session key, TGT and a Service Principal Name (SPN).
The session key and TGT are retrieved from the previous requests
The SPN indicates the server and server name to access
The KDC will create a Ticket Granting Service (TGS), and send this along with a service session key back to the user
The TGS is encrypted using a key derived from the service owner hash
The service owner hash is the user or machine account that the service runs with
Note that the TGS contains a copy of the service session key in its encrypted content
Finally, the user can use the TGS to make a request to the desired service on the network
The service will use its configured account's password hash to decrypt the TGS and validate the service session key contained in the TGS
General overview
Last updated