What is Kerberos Authentication?
Kerberos is a network authentication protocol that is widely used in computer networks to validate the identities of users and systems. It provides a secure way to authenticate users, ensuring that only authorized individuals can access resources on a network. Kerberos uses a trusted third-party server called the Key Distribution Center (KDC) to facilitate the authentication process. When a user tries to access a resource, they send a request to the KDC, which then verifies their identity and issues a ticket granting ticket (TGT). The TGT is used to request a service ticket, which grants access to specific resources. Kerberos authentication uses a system of encrypted tickets, ensuring that the user’s credentials are securely transmitted and cannot be tampered with.
How Does Kerberos Authentication Work?
The authentication process starts when a client requests access to a server. The client sends its credentials to the KDC, which verifies whether the provided username and password are valid. Upon verification, the KDC generates a session key known as a ticket-granting ticket (TGT) and sends it to the client. The client then presents the TGT to the KDC along with a request for a specific server. The KDC issues a service ticket for the requested server, encrypted with the session key. Finally, the client presents the service ticket to the server, confirming its identity and establishing a secure connection.
The Benefits of Kerberos Authentication
Some of the benefits of Kerberos authentication are as follows:
- Passwords are never exposed to eavesdropping as they are not transmitted over the network.
- Users only need to type their password on their local workstation, preventing it from being stored on remote servers.
- The encryption techniques used in Kerberos make password guessing more difficult.
- It enables Single Sign-on (SSO), reducing the need for users to remember multiple passwords.
- Stolen tickets are hard to reuse as they require the corresponding authenticator.
- Kerberos allows for centralized management of authentication, making it easier to secure a small set of limited access machines and recover from host compromises.
- User account administration is also centralized, simplifying the administration process.
The Components of Kerberos Authentication
The core components of Kerberos authentication include:
Core Components | Description |
---|---|
Authentication Server (AS) | The AS is responsible for authenticating the user’s identity and providing the initial Ticket Granting Ticket (TGT). |
Ticket Granting Server (TGS) | The TGS is responsible for issuing the Service Granting Tickets (SGTs) used to access specific services. |
Key Distribution Center (KDC) | The KDC acts as a combined entity that includes both the AS and TGS. It stores the user’s credentials and is responsible for authentication and ticket-granting. |
Client | The client is the entity requesting access to a service. It initiates the authentication process by requesting a TGT from the AS./td> |
Service Server | The service server hosts the desired service and validates the SGT presented by the client. |
Tickets | Tickets are the encrypted credentials that are issued by the KDC and used by the client to prove its identity to the service server. |
Encryption and Decryption Keys | Kerberos uses symmetric key encryption techniques, and thus, encryption and decryption keys play a crucial role in securing the exchanged messages between components. |
Authentication Protocol | Kerberos employs a specific authentication protocol for secure communication between the client, AS, TGS, and service server. The protocol includes various message exchanges involving requests, authenticators, and responses. |
The Kerberos Authentication Process
During the authentication process, Kerberos saves a specific ticket for each session on the device of the end-user. Instead of a password, a Kerberos-aware service checks for this ticket. Kerberos authentication occurs within a Kerberos realm, which is an environment where a KDC is authorized to authenticate a service, host, or user.
Kerberos authentication comprises several steps involving different components, which include:
Step 1: The client, initiating the request for a service on behalf of the user.
Step 2: The server, hosting the service that the user wants to access.
Step 3: The AS (Authentication Server), responsible for client authentication. If the authentication is successful, the client receives a ticket-granting ticket (TGT) or user authentication token, serving as evidence of successful authentication.
Step 4: The KDC (Key Distribution Center) consisting of three components: the AS, the TGS (Ticket Granting Server), and the Kerberos database.
Step 5: The TGS application, which issues service tickets.
The Different Types of Kerberos Tickets
Tickets have properties that dictate their usage and can be assigned or modified when created. These properties include being forwardable, initial, invalid, postdatable, proxiable, and renewable, which are explained below.
Type | Description |
---|---|
Forwardable | A forwardable ticket allows a ticket to be sent from one host to another without reauthentication. |
Initial | An initial ticket is issued directly and not based on a ticket-granting ticket. |
Invalid | An invalid ticket is postdated and cannot be used until it is validated. |
Postdatable | A postdated ticket becomes valid after a specified time. |
Proxiable | A proxiable ticket allows a service to perform an operation on behalf of the principal. |
Renewable | Renewable tickets have two expiration times: the current instance expiration and the maximum ticket lifetime, which is usually a week. Renewable tickets must be renewed before the initial expiration time to continue usage. Once the maximum lifetime is reached, the ticket expires and cannot be renewed. |
Common Kerberos Authentication Attacks
Below are some of the most well-known Kerberos authentication attacks:
SPN Scanning: This attack involves searching for services by requesting the service principal names (SPN) belonging to a particular SPN class/type. Attackers use this technique to gather information about available services within a target Active Directory (AD) environment.
Silver Ticket: In this attack, adversaries forge a Kerberos Ticket Granting Service (TGS) ticket. By generating a malicious TGS ticket, attackers can gain unauthorized access to specific services within the AD environment without having to provide valid user credentials.
Golden Ticket: Similar to the Silver Ticket attack, the Golden Ticket attack involves forging a Ticket Granting Ticket (TGT) authentication ticket. By creating a malicious TGT, adversaries can establish total control over the AD domain, granting themselves unauthorized and persistent access to various services without the need for valid user credentials.
MS14–068 Forged PAC Exploit: This attack takes advantage of a vulnerability in the Kerberos protocol present on Domain Controllers. Adversaries exploit this vulnerability to create a forged Privilege Attribute Certificate (PAC), allowing them to elevate their privileges within the AD environment and potentially gain unauthorized access or perform malicious actions.
How Lepide Helps Protect Active Directory
By continuously monitoring and analyzing Active Directory account activities, the Lepide Data Security Platform can detect unusual patterns or anomalies in the Kerberos authentication process. It can identify potential signs of Kerberos attacks, such as ticket reuse, or manipulation of authentication tokens. It can also detect and manage inactive service accounts, as well as detect and respond to failed login attempts. When suspicious activity is detected, it can send a real-time alert to the administrator or automatically execute a custom script to prevent the Kerberos Authentication attack from spreading.
If you’d like to see how the Lepide Data Security Platform can help to safeguard your Active Directory, schedule a demo with one of our engineers.