What is Kerberos in Networking?
Learn what Kerberos is, how tickets and the KDC enable single sign-on, and why passwords never cross the network.
Expected Interview Answer
Kerberos is a network authentication protocol that uses trusted third-party ticket-granting servers and symmetric-key cryptography to let clients and services prove their identity to each other without ever sending a password over the network.
A client first authenticates once to a Key Distribution Center (KDC), which issues a Ticket-Granting Ticket (TGT) encrypted with a key derived from the user’s password; the client never has to resend that password again for the rest of the session. When the client wants to reach a specific service, it presents the TGT to the KDC’s Ticket-Granting Service and receives a service ticket, which it then hands to the target service; the service decrypts the ticket with a key it shares only with the KDC to confirm the client is genuine. Tickets are time-limited and include timestamps to prevent replay attacks, and the whole exchange relies on mutual trust in the KDC rather than the client and service trusting each other directly. Kerberos underpins single sign-on in enterprise environments such as Windows Active Directory, letting a user log in once and transparently access file shares, databases, and applications without repeated password prompts.
- Passwords never travel across the network, even in encrypted form repeatedly
- Enables single sign-on across many services after one initial login
- Time-limited tickets with timestamps resist replay attacks
- Mutual authentication confirms both client and service identity
AI Mentor Explanation
Kerberos is like a stadium accreditation office that checks a broadcaster’s credentials once in the morning and issues a stamped, time-limited wristband, rather than making them show ID at every single gate all day. When the broadcaster wants into the commentary box, they show that wristband to a second desk, which issues a specific box pass valid only for the next two hours, and the commentary box staff trust that pass because it was stamped by the same accreditation office they also trust. No one ever asks the broadcaster to say their password out loud again after the first check, exactly how Kerberos avoids resending credentials after the initial ticket is issued.
Step-by-Step Explanation
Step 1
Initial authentication
The client authenticates once to the KDC and receives a Ticket-Granting Ticket (TGT) encrypted with a key derived from the password.
Step 2
Service ticket request
The client presents the TGT to the Ticket-Granting Service to request access to a specific service.
Step 3
Service ticket issued
The KDC issues a service ticket encrypted with a key shared only between the KDC and that service.
Step 4
Mutual authentication
The client presents the service ticket to the service, which decrypts it to verify the client, completing mutual trust without a password exchange.
What Interviewer Expects
- Explains the role of the KDC, TGT, and service tickets
- Understands that the password never crosses the network after initial setup
- Mentions time-limited tickets and timestamps preventing replay attacks
- Connects Kerberos to single sign-on use cases like Active Directory
Common Mistakes
- Thinking Kerberos sends an encrypted password on every request
- Confusing the TGT with a service ticket
- Not knowing Kerberos relies on symmetric-key cryptography and a trusted KDC
- Forgetting tickets are time-limited, which is why clock skew breaks Kerberos auth
Best Answer (HR Friendly)
“Kerberos is a way for you to log in once and then access many different systems without typing your password again and again. A trusted central server checks who you are the first time and hands you a time-limited digital ticket, and each system you visit afterward trusts that ticket instead of asking for your password directly, which is what makes single sign-on at work possible.”
Code Example
# Authenticate to the KDC and obtain a Ticket-Granting Ticket
kinit alice@EXAMPLE.COM
# Password for alice@EXAMPLE.COM: ********
# List cached tickets, including the TGT and any service tickets
klist
# Ticket cache: FILE:/tmp/krb5cc_1000
# Default principal: alice@EXAMPLE.COM
#
# Valid starting Expires Service principal
# 07/18/26 09:00:00 07/18/26 19:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
# Destroy tickets when done
kdestroyFollow-up Questions
- What is the difference between a Ticket-Granting Ticket and a service ticket?
- Why is clock synchronization critical for Kerberos to function correctly?
- How does Kerberos prevent replay attacks?
- How does Kerberos compare to certificate-based mutual TLS authentication?
MCQ Practice
1. What does the KDC issue after a client’s initial authentication?
The KDC issues a TGT after successful initial authentication, avoiding repeated password transmission.
2. What cryptographic approach does Kerberos primarily rely on?
Kerberos uses symmetric keys shared with a trusted Key Distribution Center to encrypt tickets.
3. Why are Kerberos tickets time-limited?
Time-limited tickets with timestamps prevent an attacker from replaying a captured ticket later.
Flash Cards
What is Kerberos? — A network authentication protocol using a trusted KDC and tickets so passwords never cross the network repeatedly.
What is a TGT? — A Ticket-Granting Ticket issued after initial login, used to request service tickets without re-sending the password.
Where does Kerberos shine? — Single sign-on in enterprise environments like Windows Active Directory.
Why does Kerberos need synchronized clocks? — Tickets carry timestamps to prevent replay attacks; clock skew causes authentication failures.