Kerberos Authentication, Key Distribution Center (KDC), Ticket Granting Ticket (TGT)

Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. It was published as a suite of free software by Massachusetts Institute of Technology (MIT) that implements this protocol. The name "Kerberos" is taken from the three-headed dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently insecure environment.

The Kerberos protocol is a secure protocol, and it provides mutual authentication between a client and a server. In Kerberos protocol, the client authenticates against the server and also the server authenticates itself against the client. With mutual authentication, each computer or a user and computer can verify the identity of each other. Kerberos is extremely efficient for authenticating clients in large enterprise network environments. Kerberos uses secret key encryption for authentication traffic from the client.
The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication traffic.

Kerberos protocol is built on top of a trusted third party, called as Key Distribution Center (KDC). Key Distribution Center (KDC)   acts as both an Authentication Server and as a Ticket Granting Server. When a client needs to access a resource on the server, the user credentials (password, Smart Card, biometrics) are presented to the Key Distribution Center (KDC) for authentication. If the user credentials are successfully verified in the Key Distribution Center (KDC), Key Distribution Center (KDC) issues a Ticket Granting Ticket (TGT) to the client. The Ticket Granting Ticket (TGT) is cached in the local machine for future use. The Ticket Granting Ticket (TGT) expires when the user disconnects or log off the network, or after it expires. The default expiry time is one day (86400 seconds).

When the client wants to access a resource on a remote server, the client presents the previously granted and cached Ticket Granting Ticket (TGT) to the authenticating KDC. The authenticating Key Distribution Center (KDC) returns a session ticket to the client to access to the resource. The client presents the session ticket to the remote resource server. The remote server allows the session to be established to the resource after accepting the session ticket.

Related Tutorials