{"id":5031,"date":"2020-01-23T19:17:02","date_gmt":"2020-01-23T19:17:02","guid":{"rendered":"https:\/\/www.n-able.com\/?p=5031"},"modified":"2021-03-31T19:17:55","modified_gmt":"2021-03-31T18:17:55","slug":"kerberos-authentication","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/fr\/blog\/kerberos-authentication","title":{"rendered":"Kerberos Authentication Process Explained"},"content":{"rendered":"

In Greek mythology, Kerberos (or Cerberus) is a frightening-looking dog with multiple heads and fangs capable of slicing through human bone. Kerberos is famous for guarding the gates of the underworld to prevent the dead from leaving. Until Kerberos\u2019 capture by the divine hero Heracles, the dog\u2019s tenacious patrol let no soul pass into the world of the living.<\/p>\n

The internet is very similar to the underworld\u2014an insecure place full of actors who would seek to compromise our security and steal our data. Like the underworld, it needs powerful gatekeepers to guard and patrol its boundaries, lest vulnerable users are harmed. Thus, when MIT computer scientists were searching for a name for a new computer network authentication protocol that they developed, they turned to the mythical creature Kerberos.<\/p>\n

This eponymously named protocol uses top-secret key cryptology to provide powerful authentication for client-server applications. Keberos authentication was first developed in the 1980s and has since become the most commonly used cryptology-based authentication method. The ubiquity of Kerberos makes it critical for managed services providers (MSPs) to know about it\u2014where it came from, what it is, how it works, and how it can benefit their end users.<\/p>\n

Why Was Kerberos Authentication Developed?<\/b><\/h3>\n

MIT computer scientists developed\u00a0Kerberos authentication<\/a>\u00a0as one potential solution to pervasive\u00a0network security problems<\/a>\u00a0that grew in tandem with the expansion of the internet in the 1980s.<\/p>\n

These security problems were rampant among many of the applications that send unencrypted passwords over the network\u2014passwords that were highly vulnerable to a range of tactics and tools used by malicious actors intent on stealing them. Moreover, some client-server applications automatically assumed a user really was who they said they were, or relied on the client to restrict a user\u2019s activities to those deemed \u201csafe.\u201d Naturally, these applications faced serious security vulnerabilities and would likely fail to meet stringent mandates to protect users\u2019 personal data today.<\/p>\n

In response to this internet insecurity, many sites started using firewalls, thinking these would resolve the problem. But firewalls have two limitations that hinder their efficacy. One, they assume the security threat is coming from \u201coutside,\u201d when in fact it\u2019s often insiders who are responsible for the most egregious internet crimes. Two, firewalls limit users from accessing areas of the internet that they may need to access for their work. Other strategies were needed for more effective cybersecurity.<\/p>\n

What Is Kerberos Authentication?<\/b><\/h3>\n

This is where the aforementioned MIT scientists came into the picture. The product of their collective efforts was Kerberos, a network authentication protocol that\u2019s based on secret-key cryptology or \u201ctickets.\u201d By enabling users or services to communicate securely over a non-secure network through a trusted third-party arbiter, Kerberos eliminates the need to transmit vulnerable plaintext passwords.<\/p>\n

The designers of Kerberos based it on a client-server model, meaning it provides resources or services to one or more clients. It also features\u00a0multi-factor authentication<\/a>\u00a0(MFA), meaning that a system requires at least two distinct terms to grant a user access to a certain account. This strengthens password management to keep up with cybersecurity threats and heightens the level of security for all parties involved.<\/p>\n

A free implementation of Kerberos authentication is available from MIT, though by now it\u2019s embedded within a range of operating systems and other products available on the market. Kerberos authentication has become the default authorization tool used by Microsoft Windows. Apple OS, UNIX, and Linux also use it. This means most of us have encountered it in one place or another, even if we weren\u2019t aware of it.<\/p>\n

How Does Kerberos Authentication Work?<\/b><\/h3>\n

We\u2019ve already established that Kerberos securely connects users and servers. It does so within what\u2019s called a\u00a0realm-<\/em>\u2014<\/i>or a defined domain that contains a set of users and servers who would connect (though cross-realm connection is also possible). Each user or server has their own identity\u2014referred to as a\u00a0principal\u00a0<\/span><\/em>in Kerberos. Through their individual principal, users or servers can identify themselves to a trusted third-party arbiter responsible for authentication.<\/p>\n

That trusted third-party arbiter is the Key Distribution Center (KDC), located on the Kerberos server. The KDC has three main parts that are important to understand.<\/p>\n