Term · 3. Authentication Protocols

Kerberos

Kerberos is a network authentication protocol that uses time-limited, encrypted tickets issued by a trusted Key Distribution Center (KDC), so users and services prove identity without sending passwords over the network. It provides mutual authentication and is the default for Windows Active Directory domain logon. Strong but clock-dependent and tied to the internal network, which is why federation protocols extend it for cloud and web access.

Protocol Source: IETF Kerberos

AuthN Standards IETF / RFC ISO/IEC NIST Introduced by: Big4 (Deloitte / PwC / EY / KPMG)

Definition

Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and a trusted Key Distribution Center (KDC) to grant time-limited tickets. Foundation of Windows domain authentication (Active Directory). Supports mutual authentication, single sign-on across trusted domains, and delegation.

Synonyms

Kerberos

Application: Active Directory deployments universally use Kerberos for domain authentication. Web/cloud deployments increasingly replace Kerberos with SAML/OIDC (better internet support, no clock-sync requirements). Kerberos-specific attacks: Golden Ticket, Silver Ticket, Pass-the-Ticket — major ITDR detection targets.

Standards & regulations

RFC 4120 «This document provides an overview and specification of Version 5 of the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects of the protocol and its intended use that require more detailed»
RFC 1510 «This document gives an overview and specification of Version 5 of the protocol for the Kerberos network authentication system.»
RFC 3961 «This document describes a framework for encryption and checksum mechanisms for use with the Kerberos network authentication system.»
RFC 4121 «This document defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (GSS-API), when using the Kerberos Version »
RFC 4556 «The Kerberos V5 protocol [RFC4120] involves use of a trusted third party known as the Key Distribution Center (KDC) to negotiate shared session keys between clients and services and provide mutual aut»
RFC 5021 «This document specifies an extension to the Kerberos protocol as defined in RFC 4120, in section 7.2.2, for the transport of Kerberos protocol messages over TCP.»
RFC 4537 «This document specifies an extension to the Kerberos protocol as defined in RFC 4120, in which the client can send a list of supported encryption types in decreasing preference order, and the server t»
RFC 4752 «This specification documents currently deployed Simple Authentication and Security Layer (SASL) mechanism supporting the Kerberos V5 [KERBEROS] Generic Security Service Application Program Interface (»
RFC 6251 «This document specifies how the Kerberos V5 protocol can be transported over the Transport Layer Security (TLS) protocol in order to provide additional security features.»

Sources

Kerberos V5 — RFC 4120 primary source

Related terms

← Back to glossary · Open in main list

FAQ

Frequently asked questions

How does Kerberos work?

A user authenticates once to the KDC and receives a ticket-granting ticket (TGT). To reach a service, the client exchanges the TGT for a service ticket, which the service validates without contacting the KDC again. Passwords never traverse the network, and tickets expire quickly.

Why does Kerberos require synchronized clocks?

Tickets carry timestamps to prevent replay attacks, so clients, services and the KDC must agree on time (typically within five minutes). Clock drift is the most common cause of Kerberos failures, which is why domains rely on NTP.

Is Kerberos still used?

Yes — it is the backbone of on-premises Active Directory authentication. For cloud and web apps it is usually fronted by SAML or OIDC, but inside the corporate network Kerberos remains the dominant single sign-on mechanism.