Kerberos

LogoMicrosoft Kerberos - Win32 appsMicrosoftLearn

Kerberos is a network authentication protocol designed to provide secure authentication for users and services in a distributed computing environment. It is widely used as the primary authentication mechanism in Windows Active Directory domains and many other network environments.

Kerberos Terminology

Key Distribution Center (KDC) The KDC, typically hosted on a Domain Controller, is responsible for managing cryptographic keys and granting access to network services. Two main components of the KDC are the Authentication Server and Ticket Granting Server.

Authentication Server (AS) The AS verifies the authenticating user's identity by checking their credentials. Once the user is authenticated, the AS generates a TGT encrypted with a secret key derived from the user's password.

Ticket Granting Server (TGS) A user presents their TGT to the TGS when they want to access a network service. The TGS decrypts the TGT using the TGS's master key, validates the user's identity, and gives the user an ST encrypted using the service's password.

Ticket Granting Ticket (TGT) A user's TGT is used to authenticate to the Ticket Granting Server in order to obtain a Service Ticket.

Service Ticket (ST) A user presents their ST to a service to authenticate and access its resources.

Privilege Attribute Certificate (PAC) The PAC contains information about the authenticated user and their privileges on the network. It is encrypted by either the KDC key (TGT) or the requested service account's key (ST), so the authenticated user cannot modify their own rights.

Service Principle Name (SPN) An SPN is a unique identifier for a service used in Kerberos Authentication.

Kerberos Authentication [Image From Attacking AD]

Here is a quick high-level overview of how Kerberos authentication works:

  1. The client requests a TGT to the KDC by sending an AS_REQ, which additional information encrypted with the client’s Kerberos key (Kerberos pre-authentication; not always required)

  2. The KDC responds with an AS_REP containing a TGT encrypted with the KDC key and a session key encrypted with the client’s Kerberos key to encrypt and authenticate communication with the KDC.

  3. The client connects with a service and negotiates the authentication using SPNEGO.

  4. The client requests an ST from the KDC by sending a TGS_REQ that includes the TGT and the SPN of the target service.

  5. The KDC decrypts the TGT with its Kerberos key to access the username and the session key. The KDC responds with a TGS_REP containing an ST and session key for the client to encrypt communications with the target service.

  6. The client sends the ST to the service with an AP_REQ message. The service decrypts the ST and gets the service session key and the PAC. The service will use security information from the PAC to determine what access the user has to its resources.

  7. The target service sends an AP_REP to the client to confirm that it is the service desired.

All Tickets contain a timestamp and a PAC for authentication and authorization purposes.

Kerberos Extensions

Kerberos extensions are additional features added to the standard Kerberos protocol that provide additional functionality, security, and flexibility. I'll talk about a few important ones here.

The PAC (Privilege Attribute Certificate) is a structure within Kerberos TGTs and STs that contains authorization data for a user such as group memberships, user privileges, etc.

The PAC can also contain the NTLM hashes of the authenticating user, allowing users to switch the NTLM authentication when the target server doesn't support Kerberos.

PreviousSMB RelayNextRoasting

Last updated