IT:AD:Infrastructure:Security:Kerberos

  1. To log on to the network, a user provides account credentials (name/password).
  2. The Authentication Server (AS) part of the KDC accesses Active Directory (AD) user account information, in order to verify the given credentials.
  3. The KDC grants a Ticket Getting Ticket (TGT). * The TGT allows user to obtain service session tickets to access servers in the domain, without having to enter the credentials again. * The TGT is good for 10 hours by default (it's configurable).
  4. When the user attempts to access a domain servers resources, the client presents the TGT to the KDC to obtain a Service (Sesion) Ticket (ST).
  5. The KDC's Ticket Granting Service (TGS) component authenticates the TGT and grants an ST. * The ST consists of a ticket and a session key. * An ST is created for both the client and the server being accessed.
  6. The client presents the ST to create a session with the service on the server.
  7. The server uses its key to decrypt the information from the TGS within the ST, and the client is authenticated to the server.
  8. If mutual authentication is enabled, the server also authenticates to the client
  • The heart of the solution is that the credentials are only used during login.
  • They are not passed from client to server ever again.
  • Neither name or pwd is sent over the wire.
  • Why use it.
  • How's it compare to Impersonation?