Brief Summary of Kerberos
Kerberos authentication process.
Scenario
Sally is the end user/client trying to access her company’s computer in order to start working for the day. She puts in her username and password. She requests Ticket Granting Ticket (TGT) for an authentication ticket. The username and password is then checked in the Key Distribution Center (KDC) which is the Authentication Service. The KDC verifies the username and password which validates to see if this client’s username and password is legit or not and sends back an encrypted ticket. The client stores that information which is the ticket; if it expires then the local session manager will request another ticket. Then, the client sends the ticket that is valid now to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the resource the client wants to access. TGS sends a valid session key for the service to the client. Client forwards the session key to the service for access.
Ticket Granting Ticket = In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) that is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain.
Use of the TGT was designed into the Kerberos protocol to avoid frequently asking the user for a password — a password used by Kerberos to derive a master key — or storing the master key on the workstation.
Key Distribution Center = Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client’s password as the key, and sends the encrypted TGT back to the client.
Authentication Service = Authentication Service helps username/password validation using your on-premises Active Directory/LDAP server. Authentication Service is installed as a virtual appliance and communicates with your local directory using LDAP over SSL. It can operate in the DMZ or inside the local area network (LAN), or both, based on the mode(s) of operation
Encrypted Ticket = The Kerberos ticket is a certificate issued by an authentication server, encrypted using the server key.
Local Session Manager = Core Windows Service that manages local user sessions.
Service Principal Name = a unique identifier of a service instance. A Service Account, User Account or Computer object, that lets other AD resources know which services are running under which accounts and creates associations between them in Active Directory.
Session Key = Any encryption key used to symmetrically encrypt one communication session only.
