Kerberos
Kerberos is a ticket-based network authentication protocol used in Active Directory environments for secure identity verification of users and services without transmitting passwords over the network.
What is Kerberos?
Kerberos is a network authentication protocol based on cryptographic tickets, designed at MIT in the 1980s and used as the default authentication mechanism in Active Directory. The user’s password is never transmitted over the network — instead, a system of tickets issued by a trusted third party (KDC) enables secure identity verification.
Kerberos in a nutshell
- What it does: verifies user/service identity without sending passwords over the network
- Where it runs: Active Directory (default), MIT Kerberos (Linux/macOS), Azure AD (legacy)
- Key component: KDC (Key Distribution Center) — issues TGT and Service Tickets
- TGT lifetime: 10 hours by default, max 7 days
- Most dangerous attack: Golden Ticket (stealing KRBTGT hash = full domain control)
Key components
- KDC (Key Distribution Center) — central trust point; in AD, domain controller fills this role. Composed of Authentication Server (AS) and Ticket Granting Server (TGS).
- TGT (Ticket Granting Ticket) — ticket obtained after initial authentication, valid for 10 hours by default. Encrypted with KRBTGT account key.
- Service Ticket (TGS) — ticket for a specific service (file share, database, web server), issued by TGS based on valid TGT.
- SPN (Service Principal Name) — unique identifier of a service instance in the domain.
Most dangerous attacks on Kerberos
- Kerberoasting — requesting TGS tickets for service accounts with weak passwords, offline crack via Hashcat. Defense: gMSA (Group Managed Service Accounts) with automatic 240-character password rotation.
- Golden Ticket — forged TGT from stolen KRBTGT hash, unlimited domain access. Defense: double KRBTGT password rotation every 180 days.
- AS-REP Roasting — attack on accounts with pre-authentication disabled. Defense: enable pre-auth for all accounts.
- Pass-the-Ticket — ticket theft from LSASS memory. Defense: Credential Guard.
Explore our services
Frequently asked questions
+ What is Kerberos in simple terms?
Kerberos is a network authentication protocol based on cryptographic tickets. Instead of transmitting passwords over the network, it uses a trusted third party (KDC) to issue tickets that prove user identity. It is the default authentication mechanism in Active Directory.
+ How does Kerberos work in 3 steps?
1) AS Exchange — the client receives a TGT from the Authentication Server after pre-authentication. 2) TGS Exchange — the client exchanges the TGT for a Service Ticket to a specific service. 3) AP Exchange — the client presents the Service Ticket to the target server, which verifies the ticket and grants access. The whole process is transparent to the user (SSO mechanism).
+ What is the difference between TGT and TGS?
TGT (Ticket Granting Ticket) is issued after initial login, valid for 10 hours, encrypted with the KRBTGT account key — used to request further tickets. TGS (Ticket Granting Server) is a KDC role, and a Service Ticket (sometimes called TGS) is a specific ticket for a single service, issued by TGS upon presenting a valid TGT.
+ How does Kerberos differ from NTLM?
Kerberos uses symmetric cryptography and timestamped tickets; NTLM is based on challenge-response with password hashes. Kerberos supports mutual authentication (client and server verify each other), NTLM does not. Kerberos is the default in AD since Windows 2000, NTLM remains as a fallback — but for security reasons it should be disabled (audit: Event ID 4776).
+ How to defend against Golden Ticket attack?
Golden Ticket is a forged TGT created from a stolen KRBTGT account hash — gives attacker unlimited domain access. Defenses: (1) double KRBTGT password rotation every 180 days, (2) monitoring of TGTs with unusual lifetimes >10h, (3) Tier 0 isolation of domain controllers, (4) LAPS for local admin accounts, (5) Credential Guard on workstations.