IDSync — identity software buyer platform
Run Stack Finder

Authentication

Kerberos

Kerberos is a network authentication protocol that uses time-bound, encrypted tickets issued by a trusted Key Distribution Center (KDC) so users and services can prove their identity without sending passwords over the wire — most famously the authentication engine behind Active Directory.

Last reviewed 5/30/2026

Key points

  • Designed at MIT in the 1980s; current version is Kerberos v5 (RFC 4120).
  • Three parties: the client, the service, and the Key Distribution Center (KDC). The KDC issues a TGT, then per-service tickets.
  • Enables Single Sign-On on Windows networks — sign in once to AD, get tickets for file shares, intranet apps, SQL Server, etc.
  • Common attacks: Kerberoasting, AS-REP roasting, Pass-the-Ticket, Golden / Silver Tickets — heavily targeted by Mimikatz and Rubeus.
  • Modern alternatives for new apps: OIDC / SAML over the internet. Kerberos still dominates on-prem Windows.

What is Kerberos?

Kerberos is the cryptographic SSO protocol invented at MIT in the 1980s and adopted by Microsoft as the default authentication mechanism in Active Directory. When you sign into a domain-joined Windows machine and then access a file share or intranet app without re-entering your password, Kerberos is what's happening under the hood.

How it works (simplified)

  1. User signs into their workstation. The workstation sends a request to the KDC (the AD domain controller) for a Ticket-Granting Ticket (TGT), proving identity with a password-derived key.
  2. KDC returns a TGT, encrypted with the user's key.
  3. To access a service (cifs/fileserver.acme.com), the workstation sends the TGT to the KDC and asks for a service ticket.
  4. KDC returns a service ticket encrypted with the service's key.
  5. Workstation presents the service ticket to the service. The service decrypts it, sees the user is authenticated, and grants access.

The user's password never traverses the network. Tickets have short lifetimes (default 10 hours) and are bound to the requesting workstation.

Why it still matters

  • Most enterprise on-prem authentication is Kerberos — file shares, intranet apps, SQL Server, jump hosts, SharePoint on-prem.
  • Attacker playbook — Active Directory attacks are heavily Kerberos-focused: Kerberoasting (cracking service tickets offline), AS-REP roasting, Golden Tickets (forged TGTs from KRBTGT hash), Silver Tickets (forged service tickets), Pass-the-Ticket. These are well-documented in MITRE ATT&CK.
  • Hybrid environments — Entra Connect synchronizes AD to Entra ID; many orgs still rely on Kerberos for the on-prem half.

When buyers care

  • Anyone with on-prem AD — Kerberos hardening is a top ITDR / AD security project.
  • Migrating to cloud — Kerberos doesn't traverse the internet cleanly, so cloud apps use SAML/OIDC; you'll need Kerberos-to-SAML bridges (Okta Access Gateway, ADFS, Entra Application Proxy) for legacy apps.

Hardening must-haves

  • AES-only encryption — disable RC4 (used in Kerberoasting).
  • Strong service account passwords — Kerberoasting cracks weak ones offline.
  • gMSA / Managed Service Accounts — eliminate human-managed service passwords.
  • Protect KRBTGT — its hash forges Golden Tickets. Rotate twice on a schedule.
  • Tier-0 isolation — KDCs / domain controllers in a separate admin tier.

Editorial note

If your AD is more than five years old and hasn't had a tier model + KRBTGT rotation + RC4 disabled, that's the place to start before any flashier ITDR purchase.

Standards & references