Business and Enterprise
Protect your company from cybercriminals.Start Free Trial
Kerberos is a computer network authentication protocol that verifies the identities of users or hosts using a system of digital “tickets.” It uses secret-key cryptography and a trusted third party to verify user identities and authenticate client-server applications.
The Kerberos protocol was originally developed at the Massachusetts Institute of Technology (MIT) in 1988, so the university could securely authenticate network users and authorise them to access specific resources, such as storage and databases. At the time, computer networks authenticated users with user IDs and passwords – which were transmitted unencrypted, in plain text. This enabled threat actors to intercept user credentials and use them to breach MIT’s network.
Kerberos enabled trusted hosts to communicate over untrusted networks – in particular, the internet – without transmitting or storing passwords in plain text. Additionally, Kerberos allowed users to access multiple systems with only one password, an early version of Single Sign-On (SSO) technology.
Kerberos is one of the most widely used network authentication protocols today. It is frequently used to support SSO in large enterprise networks, is the default authentication method in Windows and it plays an integral role in Windows Active Directory (AD). Kerberos implementations are also available in Apple OS, FreeBSD, UNIX and Linux.
Tickets are at the heart of the Kerberos authentication protocol.
The name Kerberos comes from Greek mythology. Kerberos, also known as Cerberus, was a three-headed dog who guarded the gates to the world of the dead. The name refers to the three “heads” of the Kerberos protocol: the client, the server and the Kerberos Key Distribution Center (KDC) which issues Kerberos “tickets.”
A Kerberos “ticket” is a digital certificate, issued by an authentication server and encrypted using the server key, that enables hosts to prove their identity to each other in a secure manner. This is known as mutual authentication.
The requesting and granting of Kerberos tickets happens transparently to the end user. When a client receives a Kerberos authentication ticket, it returns the ticket to the server, along with additional information to verify the client's identity. The server then issues a Kerberos service ticket and a session key, which completes the authorisation process for that session. All Kerberos tickets are time-stamped, time-limited and session-specific, which minimises the risk that a threat actor can use a compromised ticket to access the system.
Here’s a very simplified description of the Kerberos protocol in action:
Kerberos is a mature, robust authentication protocol that is integrated into all popular operating systems and supports modern distributed computing environments. It’s especially suited for SSO deployments, where it provides the back-end technology to ensure that end users have a smooth experience while supporting Role-Based Access Control (RBAC) and least-privilege access to digital resources.
Because Kerberos is a widely used, decades-old technology, threat actors have found ways to compromise it. Common Kerberos cyberattacks include:
However, while no technology is 100% unhackable, Kerberos is quite secure if it’s configured and maintained properly. To keep your Kerberos deployment secure, be sure to keep Kerberos updated and ensure that your end users are all using strong, unique passwords backed up with Multi-Factor Authentication (MFA).