A ticket-based authentication protocol that securely verifies user identities across networked systems.
Automate access, reduce risk, and stay audit-ready
Last Updated date: July 2026
Kerberos is a ticket-based network authentication protocol that verifies user and service identities without transmitting passwords across the network. Developed at MIT and built on symmetric-key cryptography, it uses a trusted third party — the Key Distribution Center (KDC) — to issue short-lived, encrypted tickets that prove identity. It is the default authentication mechanism in Microsoft Active Directory and the foundation of single sign-on (SSO) in most enterprise environments.
| Field | Detail |
|---|---|
| Category | Authentication Protocol |
| Related to | IAM, Active Directory, SSO, Zero Trust, Kerberoasting |
| Primary use | Enterprise network authentication across Windows, macOS, and Linux |
| Key benefit | Passwords never traverse the network; mutual authentication is by default |
Kerberos is the authentication engine behind most enterprise access control systems. Every time a user logs into a Windows domain and accesses a file share, email server, or internal application without re-entering credentials, Kerberos is working silently in the background.
For identity governance and IAM teams, this matters for two reasons. First, Kerberos centralizes authentication decisions through the KDC, making it a natural enforcement point for access policies. Second, because Kerberos underpins Active Directory, any identity governance platform managing Windows environments must account for how Kerberos tickets are issued, delegated, and expired.
Weak Kerberos configurations are among the most commonly exploited vectors in enterprise breaches, including attacks like Kerberoasting and Pass-the-Ticket, making proper lifecycle management of Kerberos-authenticated accounts a core IAM responsibility.
Kerberos authenticates users through a three-step ticket exchange. No password ever leaves the client machine.
Step 1 — Initial Login (AS Exchange): The client sends a request to the Authentication Server (AS) component of the KDC. The KDC derives a secret key from the user's password hash and returns a Ticket-Granting Ticket (TGT), encrypted so only the KDC can read it. The user's actual password is never sent.
Step 2 — Service Ticket Request (TGS Exchange): When the user wants to access a resource, a file server, database, or internal app, the client sends the TGT to the Ticket-Granting Server (TGS). The TGS validates the TGT and issues a Service Ticket specific to the requested resource, along with a session key.
Step 3 — Service Access: The client presents the Service Ticket to the target server. The server decrypts it using its own secret key shared with the KDC, verifies the ticket is valid and unexpired, and grants access. Crucially, the server also proves its identity to the client; this is mutual authentication.
The entire exchange is time-bounded. Tickets typically expire within 8–10 hours, limiting the window attackers have to reuse stolen credentials.
Key Distribution Center (KDC): The trusted authority at the center of the Kerberos model. In Active Directory environments, the KDC runs on every domain controller. It contains two logical services: the Authentication Server (AS) and the Ticket-Granting Server (TGS).
Ticket-Granting Ticket (TGT): A credential issued after initial login that proves the user has already been authenticated. The client uses it to request service tickets for individual resources without re-entering credentials, the mechanism behind SSO.
Service Ticket: A resource-specific credential issued by the TGS. It contains an encrypted copy of the session key and the user's authorization data, readable only by the target service.
Principal: Any entity that can be authenticated by Kerberos, a user account, a service account, or a machine account. In Active Directory, every principal has a Service Principal Name (SPN) that Kerberos uses to route ticket requests.
Authenticator: A short-lived, client-generated token included alongside the TGT or Service Ticket. It contains a timestamp, preventing replay attacks where an attacker intercepts and reuses a valid ticket.
Windows Active Directory: Kerberos is the default authentication protocol for all domain-joined Windows machines. Every domain login, Group Policy application, and resource access in an AD environment flows through Kerberos. Identity governance platforms that manage AD must account for TGT lifetime, delegation settings, and service account SPNs.
Healthcare: Hospitals use Kerberos-backed SSO to give clinicians seamless access to EHR systems, imaging platforms, and lab tools under a single login session, critical in time-sensitive care environments where re-authentication delays are not acceptable.
Financial Services:
Banks and trading platforms rely on Kerberos mutual authentication to ensure that both users and internal services are verified before sensitive transactions are processed. Time-limited tickets reduce the exposure window for compromised session credentials.
Kerberos is not the only authentication protocol in enterprise environments. Understanding where it fits, and where it doesn't, is key for IAM architects.
| Protocol | Type | Mutual Auth | Password Sent | Best for |
|---|---|---|---|---|
| Kerberos | Ticket-based | ✅ Yes | ❌ No | Internal domain resources |
| NTLM | Challenge-response | ❌ No | Hash only | Legacy/non-domain systems |
| SAML | Token-based (federated) | Partial | ❌ No | Web SSO, cloud apps |
One-sentence summary: Kerberos is the strongest option for internal enterprise authentication; SAML is the standard for federated identity and cloud applications; NTLM is a legacy fallback that should be disabled where Kerberos is available.
1. Audit all Service Principal Names (SPNs): Every service account with an SPN is a potential Kerberoasting target. Identify all accounts with SPNs and enforce strong, rotated passwords on each one.
2. Set appropriate ticket lifetimes: Default TGT lifetime in Active Directory is 10 hours with 7-day renewal. Tighten these in high-security environments and align them with your session management policies.
3. Restrict Kerberos delegation: Unconstrained delegation allows a compromised service account to impersonate any user to any service. Audit and remove unconstrained delegation; use resource-based constrained delegation instead.
4. Monitor for anomalous ticket requests: Kerberoasting generates unusual TGS requests for service accounts. SIEM rules and identity threat detection tools should alert on high-volume or off-hours ticket requests for accounts with SPNs.
5. Integrate with your IGA platform: Kerberos authentication data should feed into your identity governance system, such as account lifecycle, access certification, and privilege management decisions, which depend on understanding who holds valid tickets and what those tickets grant access to.
Clock sensitivity: Kerberos requires all systems in a domain to maintain clocks within 5 minutes of each other (by default). Clock skew beyond this threshold causes authentication failures, a common operational issue in large or geographically distributed environments.
KDC as a single point of failure: If the KDC becomes unavailable, domain authentication stops. Enterprise deployments mitigate this with multiple domain controllers, each running a KDC instance.
Kerberoasting exposure: Any authenticated domain user can request a service ticket for any SPN. If service account passwords are weak, attackers can request tickets offline and crack them. This is one of the most common lateral movement techniques in Active Directory attacks.
Limited to internal networks: Kerberos was designed for closed, trusted networks. It does not extend natively to cloud applications or external users, which is why SAML and OIDC fill the federated identity role in modern hybrid environments.
Kerberos is a system where a trusted server issues temporary "tickets" that prove your identity. Instead of sending your password to every service you want to use, you get a ticket once and use it to gain access, similar to a physical badge that grants you entry to different areas of a building.
They solve different problems. Kerberos handles authentication, proving who you are. LDAP (Lightweight Directory Access Protocol) handles directory lookups, finding information about users, groups, and resources. In Active Directory, both work together: Kerberos authenticates the user, and LDAP is used to query directory data.
Yes, but with limitations. Kerberos remains the backbone of on-premises Active Directory authentication. For cloud applications, organizations typically layer SAML or OIDC on top of AD, often using Azure AD Connect or similar federation tools, which means Kerberos still handles the on-premises leg of hybrid authentication flows.
Kerberoasting is an attack technique where an authenticated domain user requests service tickets for accounts with SPNs, then attempts to crack the ticket hashes offline. Since any domain user can request these tickets, the attack requires no special privileges. The defense is enforcing strong, regularly rotated passwords on all service accounts.
New Kerberos authentications fail. Users already logged in with valid TGTs can continue accessing services until their tickets expire, but no new logins can be completed until a KDC is reachable. This is why redundant domain controllers are essential in production Active Directory environments.
Not natively, Kerberos itself only handles password-based authentication. MFA for Kerberos-authenticated environments is typically implemented at the pre-authentication layer, often through smart cards (PKINIT) or by routing initial logins through an MFA-enabled identity provider before the Kerberos ticket is issued.