🍈 Zettelkasten

❯

❯

Kerberos

Mar 23, 20262 min read

networking

Created by MIT. A Single Sign On authentication protocol used while the user is logged in. Grants them tickets for the current session.

Uses Symmetric Encryption.
Ensures packets are encrypted for authentication.
Protects against MITM and Replay Attack.

Protocol

We want host $A$ to talk to file server $B$

Assumed shared key both Authentication Server and host knows (could be host’s password in AD)
Request a ticket from kerberos server to get TGT
1. Send a request to talk to Ticket Granting Server, pass in $n_{a}$
KDC returns a message that is Encrypted with a session ticket $K_{a s}$ containing:
1. Shared symmetric key $K_{a t}$
2. $n_{a}$ random number to stop Replay Attack
3. $T$ time
4. $L$ lifespan
5. id TGS
KDC returns the TGT containing:
1. Shared symmtric key $K_{a t}$
2. id $A$
3. $L$ lifespan
Host $A$ sends request to talk to fileserver $B$
1. Host sends request encrypted with $K_{a t}$ :
  1. id $A$
  2. $T_{a}$ time
  3. id $B$
  4. $n_{a}$ random number to stop Replay Attack
2. Host sends TGT
TGS returns a new ticket to talk to the server $B$ encrypted with $K_{a t}$ containing:
1. $K_{ab}$ shared key
2. $n_{a}$ random number
3. $T_{t}$ time
4. $L$ lifespan

Concepts

Key Distribution Center
- Authentication Server
- Ticket Server
Kerberoasting Attack
Kerberos SSO Process
Ticket Granting Ticket
USN
Mutual Authentication
ntds

Graph View

Protocol
Concepts

Backlinks

Single Sign On
UTORAuth
IPSec Modes
Network Protocol
NT LAN Manager
Ticket Granting Ticket
ntds
Access Control Standards
Active Directory 101 Why AD Security is Mission Critical
Authentication Server
CompTIA Security+
Kerberoasting Attack

Created with Quartz v4.4.0 © 2026

GitHub
Discord Community