How Kerberos Authentication Works - LayerOne Networks

How Kerberos Authentication Works

If you think that having a strong password is enough for your data security, think again!

Every time you log in to a host using your password, you are exposed to attacks and security threats. If the hackers can get their hands on your password and login as ‘you’, they will have complete access to all your data.

Kerberos is an authentication protocol that prevents unauthorized access. It authenticates the service requests between the users and the hosts through unsafe networks. Kerberos authentication is being used by top global companies like Microsoft Windows, Apple OS, Linux, and Unix.

Kerberos was developed by the Massachusetts Institute of Technology (MIT) as a protection protocol for its own projects in the 1980s. Kerberos was named after Cerberus, which is a Greek mythological creature with three heads. Kerberos was inspired by this name and the three heads signify the client, server, and the Key Distribution Center (KDC).

What are the Components in the Kerberos Environment?

Before we move on to the actual working on Kerberos, let’s take a look at the basic components.


The agents are the principal entities involved in a typical Kerberos workflow.

  • The client is the person who initiates the request for communication.
  • The application server hosts the service that the client requests.

Key Distribution Center (KDC) consists of three parts for authentication: A database (DB), the Authentication Server (AS), and the Ticket Granting Server (TGS).


The tickets are the communications of permission sent to the users for performing a set of actions on Kerberos. There are two types:

  • Ticket Granting Service (TGS) is encrypted with the service key and used to authenticate a service.
  • Ticket Granting Ticket (TGT) is issued by the authentication server to the client for requesting the TGS.

Encryption Keys

Kerberos handles several keys that are encrypted securely to prevent The authentication server issues ticket Granting Ticket (TGT)corruption or access by hackers. Some of the encryption keys used in the Kerberos are:

  • User key
  • Service key
  • Session key
  • Service session key
  • KDC key

How Kerberos Authentication Works?

How Kerberos Authentication Works

The prime purpose of Kerberos authentication is to secure the access of a user in service through a series of steps that prevent security threats and password access. Essentially, the user needs to access a network server to get access to a file.

You can go to any company offering managed IT services to implement Kerberos encryption. Even so, it’s essential to have a basic idea of how security is implemented and how the data access is encrypted. So, here’s are the steps of Kerberos security and authentication:

1. Initial Authentication Request from the Client

As the client tries to login to the server, they send an authenticator to the KDC requesting a TGT from the authentication server.

This authenticator has information like the password, the client ID, as well as the date and time of authentication request. Part of the message with the password is encrypted, which the other part is plain text.

2. KDC Checks the Credentials

KDC is the Kerberos server that validates the credentials received from the client. The server first decrypts the authenticator message and checks against the database for the client’s information and the availability of the TGS.

After finding both these information, the server then generates a secret key for the user using the password hash. It then generates a TGT that contains the information about the client credentials like client ID, date and time stamp, the network address and a few more authentication details. Finally, the secret key is encrypted with a password that the server only knows and sends to the client.

The TGT is then stored in the Kerberos for a few hours. If the system crashes, the TGTs won’t be stored anywhere.

3. The Decryption of the Key by the Client

The client decrypts the message received from the KDC by using the secret key. The client’s TGT is then authenticated and the message is extracted.

4. Using TGT to Access Files

If the client wants to access specific files on the server, it sends a copy of the TGT and the authenticator to the KDC requesting access.

When KDC receives this message, it notices that the client is already authenticated. So, it decrypts the TGT using the encryption password to check if it matches.

If the password is validated, then it considers it to be a safe request.

5. Creation of Ticket for File Access

To allow the client to access the specific files requested, KDC generates another ticket. It then encrypts the ticket with the secret key and the method of accessing the files is included in this ticket.

This ticket now lies in the Kerberos tray for the next eight hours. This means the client can access the file server as long as the ticket is valid.

6. Authentication Using the Ticket

The client decrypts the message using the key and this generates a new set of client information, including client ID, date and time stamp and network address.

This is sent to the server in the form of an encrypted service ticket. The server decrypts the ticket and checks if the client’s details match the authenticator and within the file access validity. Once the details match, the server sends a message of verification to the client.

Wrapping Up

Kerberos authentication is regularly updated to meet the new security threats. It is one of the top-used authentications by the tech giants, which means it’s been authenticated against rigorous security attacks. If you want to protect your server and your user data from the prying eyes of unscrupulous people, then go for Kerberos encryption.

Our data experts at LayerOne Networks can help you implement such security and authentication protocols to protect your data. Reach out to us for managed IT services and securing your company from any online security vulnerabilities.