Active Directory Kerberos Ticket

sandeep negi's photo
sandeep negi
·

2 min read

Active Directory Kerberos Ticket

What is Kerberos ?

Kerberos is an authentication protocol that will be used when we are logging in to windows machine which is part of a domain.

In Kerberos authentication both client and server needs to verify themself against a central Key Distribution Center. What is KDC how it works ?

KDC includes

Authentication Server
Ticket Granting Server

How Authentication Server Verifies the User ?

When a client wants to verify himself to the KDC, he first connects with the AS. He presents to the AS his User ID, and requests a ticket to the targeted server.

This request is partially encrypted with his password’s secret key (so that a plain password won’t be sent over an insecure network). The AS uses the client’s password to decrypt his request. This is how the AS verifies the user.

After verifying the client, the AS sends the client a Ticket Granting Ticket (TGT). The TGT is encrypted with a different secret key.

After the client gets the TGT, he sends it to the TGS along with his request to access the target server.

When the TGS receives the TGT, it decrypts it with a secret key that he shares with the AS.

The TGS issues a token for the client, that it encrypts with another key. This third key is shared between the TGS and the targeted server.

Finally, the client sends the token to the client-server. The targeted server will decrypt the token with the TGS shared key. Now the client can use the targeted server for a limited time (which is set by the token).

The Kerberos authentication process uses three different secret keys.

  1. The first key between the client and the AS is based on the client’s password.
  2. The AS and the TGS share another secret key.
  3. The TGS and the targeted server.

The Same Approach is used in the SSH

authentication