The Guide
Explain It Like I'm 5Active DirectoryAuthentication Protocols

Kerberos

What's Kerberos and what is it supposed to solve?

What Is Kerberos?

Kerberos is an authentication protocol devloped by MIT in the 70s and it's name in systems such as Linux is "krb5"

If you've heard about Kerberos somewhere (in regards to IT and not mythology), it's probably because of Active Directory somehow

What Is The Purpose?

In my opinion the best authentication protocol is one where the password is not visible at any point of time of the credentials exchange

And this is exactly what's happening here with Kerberos -> It's an authentication protocol that basically hides the password from the network

How Does It Work?

Let's say you want to access a file on a remote server, for that you are required to first authenticate and the authentication method is Kerberos:

  1. You navigate to that file
  2. The computer requires you to authenticate
  3. You input your user and password (or Windows does that for you with an existing token or your NTLM hash)
  4. The computer encrypts the kerberos AS-REQ (Request) with the user's password (however it was provided)
  5. The computer sends a request to authenticate to the domain's Domain Controller (DC) -> In this step the DC might require pre-auth (encrypting a timestamp before regular communication)
  6. The DC already has the user's password on file so it tries to decrypt the request with that password
  7. If it succeed, the DC returns a valid AS-REP (response), if not, the request is rejected with a "Bad password" error (0x18)

All those communications (well, some of the information inside it at least) are being encrypted with the user's password by both parties -> More on that available on Learn More section

  1. Now the user has what is called a TGT (Ticket granting ticket), this is a generic kerberos ticket that the user / computer can then use to request specific service tickets (TGS)
  2. The computer asks for the target TGS by using the proper SPN (Service principal name) from the DC
  3. If the SPN exists, the DC approves the request, else it will reject it with a "Bad server" error (0x7)
Bonus
  1. If the authentication is rejected due to "Bad server" error, it will try to fallback to NTLM
  2. Did you know that you can also use a user UPN as an SPN? (Try it to understand it - Good luck!)

Note: If a TGT already exists, the app / computer will probably skip the steps leading up to it and will use the existing TGT to request an applicable TGS

How Is It More Better Than NTLM?

  1. It supports better encryption types
  2. It has a token lifetime -> The dafault is a lifetime of 8 hours (So one session can be used for 8 hours before it needs to re-authenticate) -> Saves processing power and bandwidth

What Ports Are Used With This protocol?

Kerberos uses port 88 for communication (The DC, the computers that initate the request use dynamic ports)

Learn More

Kerberos Authentication flow

Kerberos Explained in a Little Too Much Detail

Event 4768 - Kerberos Error Codes

Kerberos Wireshark Captures: A Windows Login Example

Authentication Protocols

What's an authentication protocol?

LDAP/S

What's LDAP/S as a protocol?

On this page

What Is Kerberos?What Is The Purpose?How Does It Work?BonusHow Is It More Better Than NTLM?What Ports Are Used With This protocol?Learn More