Your Knowledge Center for all Active Directory Security-Related Research

Kerberos: The Network Authentication Protocol

The Kerberos authentication protocol enables the transparent Single Sign On (SSO) experience. The SSO enables users to actively authenticate (i.e. provide their password) only once even though they access various services – whether in the corporate network or in the Cloud (whereas the Kerberos ticket is translated to SAML tokens).

The Kerberos Authentication protocol works in the following manner:

 Kerberos message flow

  1. The user provides the Domain Name, user and password to access their computer.
  2. The computer authenticates to the Authentication Server (AS) residing on the Key Domain Controller (KDC). Accordingly, the KDC provides the computer with a Ticket Granting Ticket (TGT). The TGT is an identifier which enables the computer to request access to services without having the user to re-supply their credentials.
  3. Each time the computer attempts to access a service, it first identifies itself to the Domain Controller (DC), residing on the KDC, with the TGT as provided earlier by the AS. The DC, through its Ticket Granting Server (TGS), provides the user with a ticket for the particular requested service.
  4. The user provides the service ticket to the service. Since the ticket was validated by the TGS, the service grants authorization. Accordingly, the connection between the user and the service is established.