Kerberos Authentication

Kerberos is the native authentication protocol in Active Directory.

each domain controller acts as a Key Distribution Center (KDC) and provides two core services:

Authentication Service (AS) — Authenticates clients and issues them tickets

Ticket Granting Service (TGS) — Accepts authenticated clients and issues them tickets to access other resources.

Two Session Keys:

1-    TGS session key (symmetric key generated by AS).

2-    Service session key (symmetric key generated by TGS)

Three Secret Keyes:

1-    Client secret key (client password hash)

2-    TGS secret key (TGS)

3-    Service secret key (Service Server)

Client Authentication:

1-    The client sends a cleartext message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)

2-    The AS checks to see whether the client is in its database. If it is, the AS generates the secret key by hashing the password of the user found at the database (e.g., Active Directory in Windows Server) and sends back the following two messages to the client:

*Message A: Client/TGS Session Key encrypted using the secret key of the client/user.

*Message B: Ticket-Granting-Ticket (TGT, which includes the client ID, client network address, ticket validity period, and the Client/TGS Session Key) encrypted using the secret key of the TGS.

Once the client receives messages A and B, it attempts to decrypt message A with the secret key generated from the password entered by the user. 

If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A. 

With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key. 

This session key is used for further communications with the TGS. 

(Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.

Client Service Authorization

3-    When requesting services (ex: Access to file server shares), the client sends the following messages to the TGS:

*Message C: Composed of the message B (the encrypted TGT using the TGS secret key) and the ID of the requested service.

*Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key (found by the client in Message A).

4-    Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. 

This gives it the Client/TGS Session Key and the client ID (both are in the TGT). Using this Client/TGS Session Key, the TGS decrypts message D (Authenticator) and compares the client IDs from messages B and D; if they match, the server sends the following two messages to the client:

*Message E: Client-to-server ticket (which includes the client ID, client network address, validity period, and Client/Server Session Key) encrypted using the service's secret key.

*Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.

Client Service Request

5-    Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the Service Server (SS). 

The client connects to the SS and sends the following two messages:

*Message E: From the previous step (the Client-to-server ticket, encrypted using service's Secret key by the (TGS).

*Message G: A new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.

6-    The SS decrypts the ticket (message E) using its own secret key to retrieve the Client/Server Session Key. Using the sessions key, SS decrypts the Authenticator and compares client ID from messages E and G, if they match server sends the following message to the client to confirm its true identity and willingness to serve the client:

*Message H: The timestamp found in client's Authenticator, encrypted using the Client/Server Session Key.

The client decrypts the confirmation (message H) using the Client/Server Session Key and checks whether the timestamp is correct. 

If so, then the client can trust the server and can start issuing service requests to the server. The server provides the requested services to the client.