How Kerberos Works in Windows Active Directory

Kerberos is the native authentication protocol in Active Directory, and it's essential to understand how it works to get a grasp of more advanced concepts in networking such as authentication and delegation.

You might be surprised to find out that many people that work with Active Directory don’t know how Kerberos works, which can complicate troubleshooting when things go wrong. 

We have summarized some key information about how Kerberos works in Windows Active Directory, as well as some useful information about how the whole process works. 

You will have a general idea of how all of these components work by the time you finish reading this article, so let’s get started.

What Problems Does Kerberos Solve?

The main reason that you would want to use Kerberos is for security. If you think about it, the process of authenticating users to services often must happen over unsecured networks. 

But what is an unsecured network? 

We normally think of an unsecured network as being something like a public Wi-Fi Access Point, but the truth is that any network can be considered as being unsecured.

The reason is that users and resources need to be managed and audited effectively to ensure that nothing is accessed by users that should not be able to. 

So, even though you know the computers and users on your network, there is no way to be completely sure that there are no bad actors or external threats targeting your network.

This means that a secure sign-on implementation like Kerberos is vital for modern networks, which is why Active Directory uses it to keep things accessible and safe at the same time.

Understanding Kerberos Basics

Kerberos is a secure authentication protocol, and it is most used as the basis for single sign-on and allows information to be transmitted securely over a network. 

Kerberos can also be used as effective access control, as only users that are authenticated can access resources on the network. 

Active Directory leverages these characteristics and makes it easier to administer thanks to user and security groups - making it much quicker to give access to resources on a larger scale.

This is all well and good, but how does Kerberos authentication work with Active Directory?

Related: How to Design Your First Database.

Basic Authentication with Kerberos

In almost all authentication processes there are three main players. These are:

• The Client or User that is trying to access a resource on the network.

• The Resource that needs to be accessed by the user.

• The Key Distribution Center (KDC) in Windows environments - we know this as the Domain Controller.

With Kerberos, the client takes on the majority of the processing burden, which distributes that authentication workload across the network in a way that's secure and trustworthy.

The client constructs an authenticator, which includes a date and time, and some other information. This is sent to the KDC or domain controller, which can then verify the user's identity.

Kerberos uses the user’s password as an encryption key, and the domain controller can see the key in clear text. If you can decrypt the Authenticator, you don't need to use it anymore; instead, you can create a ticket-granting ticket (TGT).

The domain controller is going to encrypt the user's information and send it to the client. The client is going to store the data in a special area of memory called the Kerberos Tray.

Transmitting Data with Kerberos

The client logs on and requests a ticket from the Key Distribution Center. The Key Distribution Center uses its key to decrypt the ticket and gives the client a ticket for the file server.

The client keeps a copy of the ticket in its Kerberos tray and sends a copy to the domain controller, which generates a ticket, which is then sent to the file server, which generates a ticket, along with a request to the resource.

The file server accepts a ticket from a user and uses the client's username and group membership to decide what rights to give the user. The client must resend the file server a copy of their certificate every time they want to use the file server.

That is all there really is to it. It is a complicated system but when broken down into a basic step-by-step overview, it becomes very easy to understand without getting lost in the technicalities that are under the hood.

There's a command-line utility called KerbTray that lets you view a Kerberos tray, which is how the whole Kerberos protocol works. This is especially handy if you want to understand how the authentication process with Kerberos works.

Final Thoughts

It is always helpful to understand the basic flow of authentication on any given system that you must work with, and Kerberos is no exception.

By visualizing how users are (or aren’t) accessing data and resources on the network, you can more quickly troubleshoot, and find when things go wrong, even with a basic understanding of how the authentication flow works.