Kerberos
What is Kerberos?
KerberosA ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
Kerberos was developed at MIT and standardised as RFC 4120. A client authenticates to the Key Distribution Center (KDC), which issues a Ticket-Granting Ticket (TGT). The client uses the TGT to request service tickets for individual servers, avoiding the need to retransmit a password. Tickets are time-bounded and encrypted with shared keys, providing mutual authentication and replay protection. Kerberos underpins authentication in Active Directory, many Linux/Unix realms, and Hadoop deployments. Known weaknesses include attacks against weak service-account passwords (Kerberoasting), forged tickets (Golden/Silver Ticket), and clock-skew issues; modern defences combine strong service-account secrets, AES-only encryption, and constrained delegation.
● Examples
- 01
An Active Directory user receiving a TGT from a Windows domain controller, then a service ticket to access a SharePoint server.
- 02
Hadoop using Kerberos to authenticate NameNode and DataNode communication.
● Frequently asked questions
What is Kerberos?
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services. It belongs to the Identity & Access category of cybersecurity.
What does Kerberos mean?
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
How do you defend against Kerberos?
Defences for Kerberos typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kerberos?
Common alternative names include: Kerberos protocol.