Kerberos in Windows – An Overview

Kerberos is used since a long time as an authentication protocol in the UNIX world. It entered the Windows family with Windows 2000 and is used with all the OS releases till date. Windows Active Directory uses Kerberos as a default authentication protocol. Its major advantage over other authentication schemes is its interoperability with Unix systems. When coupled with a strong password, Kerberos is considered to be the toughest to break through. Kerberos V5 is the current version used in the Windows Family.

Kerberos Architecture typically works on the concept of mutual authentication. Unlike other authentication techniques Kerberos authentication verifies the identity of the client as well as the server. NTLM misses this technique of validation as it has no provision of validating the server.

Architectural Dependencies
•    Operating System – Windows brought Kerberos in its family since Windows 2000 so operating systems prior to Windows 2000 would fail to use Kerberos.
•    Network Connectivity – For Kerberos to function correctly it is essential that there exist a TCP IP connectivity between client and the domain controller
•    DNS – Client in a Kerberos process uses FQDN (Fully Qualified Domain Name) of the Domain Controller to access resources hence DNS should exist and should be configured properly.
•    ADS 2000 or above – Properly configured ADS is essential for Kerberos as it has its KDC (Key Distribution Center) and TGS (Ticket Granting Service)components associated with it. Windows 2000 /2003 /2008 domain environment can use Kerberos.
•    Time Synchronization – For Kerberos to function correctly all systems and servers should be using the same source for time synchronization. An authoritative time source (usually domain controller in AD environments) is necessary as it would make sure that the entire network has the same time synchronized.
•    SPNs – Every service which uses Kerberos needs to have a Service Principal Names set for it so as to identify the service on the network. Clients locate this service only by identifying these SPNs.
Let’s walk through the process that functions whenever a user logs on to the client system in a typical Domain Environment.


1.    User Enters credentials on the logon screen which is sent to Winlogon to the LSA (local Security Authority) for processing.
2.    The LSA passes this info to Kerberos (kerberos.dll) through SSPI (Security Server Provider interface- Secur32.dll).
3.    This information along with the encrypted timestamp is sent to the KDC (Key Distribution Center) A TGT (Ticket-granting Ticket) is requested along with this information.
4.    The KDC decrypts the provided information and Issues a TGT. The issued TGT is encrypted and sent to client along with the SID of the user Account and SIDs of its associated groups.*TGT typically contains session key, account name for the authenticated user and maximum ticket life time.
5.    Using this TGT client requests a service ticket from the Kerberos Service on the domain Controller.
6.    Domain Controller using the Ticket Granting Service issues an encrypted service ticket to the client.
Client uses this service ticket to access resources over the LAN which provides user identity info and associated SID info for permissions
Kerberos provides enhanced authentication for the distributed computing environment and standardization to interoperate with other operating systems. This MIT Developed authentication protocol is widely used in all operating system and comes as default with windows Active directory Environment.

1 thought on “Kerberos in Windows – An Overview

  1. Pingback: GPO Kerberos Policies - Windows Server - Wintel Geeks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s