Kerberos
Kerberos is a network authentication protocol designed to provide secure authentication for users and services in a distributed computing environment. It is widely used as the primary authentication mechanism in Windows Active Directory domains and many other network environments.
Kerberos Terminology
Key Distribution Center (KDC) The KDC, typically hosted on a Domain Controller, is responsible for managing cryptographic keys and granting access to network services. Two main components of the KDC are the Authentication Server and Ticket Granting Server.
Authentication Server (AS) The AS verifies the authenticating user's identity by checking their credentials. Once the user is authenticated, the AS generates a TGT encrypted with a secret key derived from the user's password.
Ticket Granting Server (TGS) A user presents their TGT to the TGS when they want to access a network service. The TGS decrypts the TGT using the TGS's master key, validates the user's identity, and gives the user an ST encrypted using the service's password.
Ticket Granting Ticket (TGT) A user's TGT is used to authenticate to the Ticket Granting Server in order to obtain a Service Ticket.
Service Ticket (ST) A user presents their ST to a service to authenticate and access its resources (sometimes confusingly referred to as TGS since the ST is stored inside the TGS-REP).
Privilege Attribute Certificate (PAC) The PAC contains information about the authenticated user and their privileges on the network. It is encrypted by either the KDC key (TGT) or the requested service account's key (ST), so the authenticated user cannot modify their own rights.
Service Principal Name (SPN) An SPN is a unique identifier for a service used in Kerberos Authentication.
Here is a quick high-level overview of how Kerberos authentication works:
The client requests a TGT from the KDC by sending an AS_REQ.
If pre-authentication is required (default), the AQ_REQ includes a timestamp encrypted with the client's Kerberos key, which is derived from the user's password
The KDC responds with an AS_REP.
Contains a TGT encrypted with the krbtgt account key and a session key encrypted with the client’s Kerberos key
The session key encrypted with the client's Kerberos key will be used by the client to securely communicate with the KDC when requesting additional tickets
The client connects with a service and negotiates the authentication.
The application protocol (such as SMB, HTTP, LDAP, etc.) may use SPNEGO to negotiate authentication
The client requests an ST from the KDC by sending a TGS_REQ.
The TGS_REQ includes the TGT, an authenticator encrypted with the TGT session key, and the SPN of the target service
The KDC decrypts the TGT using the krbtgt key and responds with a TGS_REP.
The TGS_REP contains a service ticket encrypted with the service account's key and a client-service session key encrypted with the TGT session key.
The client sends the ST to the service with an AP_REQ message.
The service decrypts the ST using its own key and obtains the client identity, session key, and PAC
The service reads the PAc to determine the user's permissions.
The target service sends an AP_REP to the client to confirm that it is the legitimate service.
All Tickets contain a timestamp and a PAC for authentication and authorization purposes.
Kerberos Extensions
Kerberos extensions are additional features added to the standard Kerberos protocol that provide additional functionality, security, and flexibility. I'll talk about a few important ones here.
The PAC (Privilege Attribute Certificate) is a structure within Kerberos TGTs and STs that contains authorization data for a user, such as group memberships, user privileges, etc.
The PAC can also contain the NTLM hashes of the authenticating user, allowing users to switch to NTLM authentication when the target server doesn't support Kerberos.
S4U2Self allows a service to obtain a Service Ticket to itself on behalf of a user without needing the user's password or TGT.
How it works:
ServiceA authenticates to the KDC
ServiceA requests a ST on behalf of the user to itself without requiring authentication from the user
KDC issues the ST that allows User -> ServiceA
S4U2Proxy allows a service to obtain a ST to another service on behalf of a user. This is commonly chained after a S4U2Self.
How it works:
ServiceA requests a ST for ServiceB by providing the ST for User -> ServiceA to the KDC
KDC validates the delegation policy
KDC issues the ST that allows User -> ServiceB
U2U (User-to-User) allows for authentication between two parties (user-to-user or user-to-service and vice versa) using each other's TGTs. This is typically used in situations where both parties need to verify each other's identity.
How it works:
You have access to UserA's (you) TGT and UserB's TGT
UserA requests a ST for UserB from the KDC by providing UserA and UserB's TGT
KDC returns a ST encrypted using ServiceB's session key
PKINIT (Public Key Cryptography for Initial Authentication) allows a client to authenticate to the KDC using public key cryptography and certificates instead of a password-derived key.
How it works:
Client sends AS_REQ to KDC containing a PKINIT pre-authentication structure, which contains data signed with the certificate's private key
KDC validates the certificate and checks the UPN or SID
KDC responds with a TGT
Kerberos authentication continues normally
Last updated