+1 (512) 588 6950
An authentication protocol aims to ensure that a person, a program or an entity that is trying to access to a resource, an information or a system, it is truly it and not an intruder.
One of the most known authentication protocol in Windows environment is Kerberos (RFC 1510 for the V5).
Initially the protocol was developed by the MIT in the late ’80s but is still used by Windows as the default authentication protocol on Active Directory environments replacing the old NTLM protocol (old but widely used an active in many AD environments).
At the base of Kerberos there are the simple cryptographic concepts of symmetric key and trusted third-party.
A symmetric key is just a word/string used by the parties to encrypt or decrypt a message.
A trusted third-party is an entity other than the owner and verifier that is trusted by the owner, the verifier or both to provide certain services. In the case of Kerberos the trusted third-party provide the authentication services: that’s the Domain Controller generally speaking.
For the Kerberos authentication the most known keyword is: ticket.
A ticket is just a “pass” to access a cinema, a concert or a Windows service in this case.
When a user wants to access any service (i.e. his Windows workstation) in a Windows domain, it needs a Service Ticket.
To get a Service Ticket, the client needs to talk to the Ticket-Granting Server (TGS), and to talk to the TGS, it needs a special Service Ticket. The Service Ticket for the TGS is known as the Ticket-Granting Ticket (TGT).
In a real world example to enter a concert you need a ticket (TGT) and on entrance a part of it is torn by the staff after being validate using a scanner; the remaining part is the TGS that allows you to access the seats, the backstage, etc.
The Kerberos protocol includes the following 3 entities in the authentication process:
The authentication protocol flow is the one described in the following picture; the next paragraphs will explode every steps.
The request includes the following data:
2. The Key Distribution Center verify the user identity by decrypting the timestamp and, if it is correct (the decryption is possible), respond with a KRB_AS_REP message:
The response includes the following data:
3. Now the use has the TGT an can be used to request a TGS to access the service using the provided TGT sending a KRB_TGS_REQ message:
The message includes the following data:
4. The KDC validates the request and the TGT and then returns a TGS inside a KRB_TGS_REP message:
The response contains:
5. The user can finally send the TGS to interact with the service (AP) using a KRB_AP_REQ message:
The message contains:
For further security verification (this steps is optional) the AP can send a KERB_VERIFY_PAC request to the KDC to validate the PAC message content. The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges; if the KDC validates (if not vulnerable to MS14–068) the user permissions; the access is granted.