Kerberos is a secure authentication protocol used in Windows environments. It uses a ticket system and strong encryption to verify identities, even on open networks. In an Active Directory setup, the Domain Controller acts as the Key Distribution Center (KDC) with two main parts: the Authentication Service (AS) and the Ticket Granting Service (TGS), which issue tickets to confirm identities.

Key Components

• Client: The user or computer trying to authenticate.
• Domain Controller (KDC): The server hosting the AD database and handling authentication requests. It includes:
  • Authentication Service (AS): Issues the initial Ticket Granting Ticket (TGT).
  • Ticket Granting Service (TGS): Issues service-specific tickets based on the TGT.

image.avif

                                                    **Key Distribution Center (KDC)**

                                                         **Authentication Server (AS)**

                                                 **Ticket Granting Server (TGS)**

• Ticket Granting Ticket (TGT): A temporary credential that allows the client to request service tickets without re-sending its password.
• Service Ticket: A ticket that allows the client to authenticate to a specific service (e.g., file server, SQL server).

• Tickets: is a credential that a client presents to an application server (whether it's the KDC or another service) to prove its authenticity. These tickets are issued by the KDC—specifically, the Authentication Server (AS) and the Ticket Granting Server (TGS)—and are encrypted using a secret key belonging to the intended service.