What is Kerberos? – Definition, Elements and More

What is Kerberos?

Kerberos is an authentication protocol, but not an authorization one. This means that the protocol is responsible for identifying each user, through a password known only to him, but does not determine what resources or services that user can access or not.

The extensive use of Kerberos is in Active Directory. In this platform, Kerberos gives information about the privileges of each authenticated user.

But it is the responsibility of the services to verify that said privileges are sufficient to access its resources.

Also Read: What is Phishing? – Definition, Methods, and More

Elements that are part of Kerberos

We can see several factors that are part of the Kerberos ecosystem in this section.

Transport layer

In this regard, it should be noted that Kerberos uses UDP or TCP as transport protocols, which transmit the information in clear, so it must provide the encryption layer itself.

The Kerberos protocol uses the UDP / 88 and TCP / 88 ports, which we find listening to the KDC (explained in the next section).


In Kerberos, there are several services responsible for performing user authentication. Among these are the following:

  • The client or user who wants to access the service.
  • It exposes the AP (Application Server) where the service that the user wants to access.

The KDC (Key Distribution Center), the Kerberos service responsible for distributing tickets to customers, installed on the DC (Domain Controller). Besides, it has the AS (Authentication Service), which is responsible for issuing the TGTs.

Encryption keys

Several structures managed by Kerberos, such as tickets, are transmitted encrypted or signed.

This prevents them from being manipulated by third parties. The encryption keys used by Kerberos, in Active Directory, are as follows:

  • KDC key or krbtgt: key derived from the NTLM hash of the krbtgt account.
  • User password: password derived from the user’s own NTLM hash.
  • Service key: key derived from the NTLM hash of the service owner, which can be a user or service account.
  • Session key: key negotiated by the client and the KDC.
  • Service session key: a negotiated key to use between the client and the AP.


Kerberos handles structures called “Tickets,” which are delivered to authenticated users so that they can perform specific actions within the Kerberos domain. 2 types are distinguished:

The TGS (Ticket Granting Service) presents the ticket to a service to access its resources. And also, it encrypts with the corresponding service code.

The TGT (Ticket Granting Ticket) presents the ticket to the KDC to obtain the TGS. Also, it encrypts with the KDC password.


The PAC (Privilege Attribute Certificate) includes a structure in most tickets. This structure contains the user’s privileges and signs with the KDC key.

The services can verify the PAC by contacting the KDC, although this is not common. However, the verification of the PAC is only to verify your signature, without checking if the privileges are correct.

On the other hand, a customer can prevent the PAC from its inclusion by specifying it in the KERB-PA-PAC-REQUEST field of the ticket request.


The Kerberos protocol allows the communication of different agents through different types of messages.

Also Read: What is TAN [Transaction Authentication Number]? – Definition, and More

Also You can find more helpful resources at themarketingpilot

Review What is Kerberos? – Definition, Elements and More. Cancel reply

Kamran Sharief

I write about technology, marketing and digital tips. In the past I've worked with Field Engineer, Marcom Arabia and You can reach me at

Published by
Kamran Sharief

Recent Posts

Protect Yourself From Hackers In Just 3 Steps

Mark the Premonition of the expert! Cybercrime will hit the world hard and cost a… Read More

May 27, 2022

Operator Licensing Procedure in Poland

Operator Licensing Procedure in Poland Setting up an online casino Poland requires obtaining a license.… Read More

May 27, 2022

How Demand Sensing is Better than Demand Forecasting and What are the Ways to Improve Forecasting

For businesses to gain an edge over the competition, strategy makers must pick up signals… Read More

May 27, 2022

Which is the best voice to use for my Text to Speech (TTS) project?

Text-to-Speech is an advanced assistant technology that can read digital text. It reads words on… Read More

May 26, 2022

Top Prediction For Web3 & Crypto Economy For 2022

The internet has changed our lives and has brought us close together in ways we… Read More

May 25, 2022

Top 3 Qualities to Look For in Speaker Cables For Outdoor Entertainment

Top 3 Qualities to Look in Speaker Cables For Outdoor Entertainment Speaker wires are essential,… Read More

May 25, 2022