Kerberos

Also known as: Kerberos protocol

A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.

Kerberos was developed at MIT and standardised as RFC 4120. A client authenticates to the Key Distribution Center (KDC), which issues a Ticket-Granting Ticket (TGT). The client uses the TGT to request service tickets for individual servers, avoiding the need to retransmit a password. Tickets are time-bounded and encrypted with shared keys, providing mutual authentication and replay protection. Kerberos underpins authentication in Active Directory, many Linux/Unix realms, and Hadoop deployments. Known weaknesses include attacks against weak service-account passwords (Kerberoasting), forged tickets (Golden/Silver Ticket), and clock-skew issues; modern defences combine strong service-account secrets, AES-only encryption, and constrained delegation.

Examples

An Active Directory user receiving a TGT from a Windows domain controller, then a service ticket to access a SharePoint server.
Hadoop using Kerberos to authenticate NameNode and DataNode communication.

Kerberos

Examples

Related terms

Active Directory

NTLM Authentication

Single Sign-On (SSO)

LDAP

Authentication

Service Account

Definition

Examples

Related terms

Active Directory

NTLM Authentication

Single Sign-On (SSO)

LDAP

Authentication

Service Account