Kerberos: How the Authentication Protocol Works

Kerberos

Diese Seite ist auch auf Deutsch verfügbar.


Kerberos works similarly to a passport: A passport authority issues the passport after the person has identified themselves. With this passport, they can then go to the border and prove their identity.

Kerberos and the Passport Analogy

Two key principles of this analogy also apply to Kerberos:

  1. Border officers can verify the passport independently without having to contact the passport authority.
  2. The passport only serves for identification; it is up to the border officers to decide whether someone is allowed to travel.

The Kerberos Authentication Process

  1. Authentication at the Domain Controller The user authenticates with the Domain Controller. The Domain Controller issues a Ticket-Granting Ticket (TGT), which is signed with the secret KRBTGT hash—a key known only to the Domain Controller.

  2. Secure Exchange of the Session Key Additionally, the Domain Controller sends a Session Key, which is encrypted with the NT hash (or the encrypted password derivative) of the user. Only the user can decrypt this key and use it further.

  3. Important Security Aspects

    • Kerberos authenticates the user through possession of a valid TGT, but does not explicitly verify the password on every request.
    • The encrypted information is based on the user’s password, meaning an attacker could intercept the ticket and attempt to crack the plaintext password via offline brute-force attacks. This is particularly problematic if the Do not require Kerberos preauthentication flag is set. This allows any user in Active Directory to request a ticket for another user. However, to use the ticket, the user’s password is required. This attack is called AS-REP Roasting.

  4. Golden Ticket Attack A particularly critical attack is the Golden Ticket Attack: If an attacker obtains the KRBTGT hash, they can generate arbitrary TGTs and gain unrestricted access.

Accessing Services with Kerberos

After authentication, the user can access a service:

  1. The user requests a Service Ticket (TGS) from the Domain Controller for the desired service.
  2. The Domain Controller issues the Service Ticket, which is encrypted with the password hash of the service account.
  3. The user sends this ticket to the Service Server (the system they want to log into) to gain access.
  4. The Service Server verifies the ticket by decrypting it with its own password hash. If the ticket is valid, the service grants access.

Security Recommendations

  • Use strong service account passwords: Since service tickets are encrypted with the password hash of the service account, service accounts should have strong, long passwords. A weak password could be cracked with Kerberoasting attacks.

  • Regularly rotate the KRBTGT hash: If the KRBTGT hash is compromised, administrators must rotate it twice to prevent Golden Ticket attacks.

  • Enable Kerberos Pre-Authentication: This prevents attackers from performing AS-REP Roasting by collecting unencrypted ticket data.

Kerberos is a powerful authentication protocol, but it must be securely configured and monitored to prevent attacks.

You can also find this information in this YouTube video (sorry, only in German):

Questions and Contact

If you have any more questions, contact VidraSec!

+43 720 971425

martin@vidrasec.com

Book appointment

Related Services