Ticket, Please: A Kerberos Overview

Kerberos is an authentication system designed to work in an environment where the client is not fully trusted. In short, a Kerberos distribution center (KDC) accepts a password from the user and gives that user a ticket that contains a session key. However, the content of the ticket is encrypted by a secret key known only to the server. In this way, a client must have a valid password and ticket in order to access services protected by Kerberos, but the client cannot view or modify the ticket. The user presents this ticket to application servers, which check the validity of the ticket and permit access based on the result.

The client first requests and receives a ticket granting ticket (TGT) that is used for authentication to the KDC. Then, the client requests and receives a ticket granting service (TGS) that is used for authentication to an application server. The goal of Kerberos is to protect credentials using encryption, prevent replay attacks, and serve as a centralized authentication system (single sign-on). Figure 10-1 illustrates a simplified version of the ticket granting steps. This is merely an introduction to the concept of tickets. We’ve ignored several steps such as key exchange, but these are handled by the protocol.

Figure 10-1: Kerberos ticket distribution

A Kerberos ticket contains a realm (similar in concept to a Windows domain), the server name, the session key, the client realm, the client name, and two time values for validity start and end. The session key and validity times are the most important part of the ticket for authentication purposes. The session key is used to identify the user and the validity times are used to protect against replay attacks.