100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is Kerberos in Networking?

Learn what Kerberos is, how tickets and the KDC enable single sign-on, and why passwords never cross the network.

hardQ136 of 224 in Computer Networks Est. time: 6 minsLast updated:
Open Code Lab

Expected Interview Answer

Kerberos is a network authentication protocol that uses trusted third-party ticket-granting servers and symmetric-key cryptography to let clients and services prove their identity to each other without ever sending a password over the network.

A client first authenticates once to a Key Distribution Center (KDC), which issues a Ticket-Granting Ticket (TGT) encrypted with a key derived from the user’s password; the client never has to resend that password again for the rest of the session. When the client wants to reach a specific service, it presents the TGT to the KDC’s Ticket-Granting Service and receives a service ticket, which it then hands to the target service; the service decrypts the ticket with a key it shares only with the KDC to confirm the client is genuine. Tickets are time-limited and include timestamps to prevent replay attacks, and the whole exchange relies on mutual trust in the KDC rather than the client and service trusting each other directly. Kerberos underpins single sign-on in enterprise environments such as Windows Active Directory, letting a user log in once and transparently access file shares, databases, and applications without repeated password prompts.

  • Passwords never travel across the network, even in encrypted form repeatedly
  • Enables single sign-on across many services after one initial login
  • Time-limited tickets with timestamps resist replay attacks
  • Mutual authentication confirms both client and service identity

AI Mentor Explanation

Kerberos is like a stadium accreditation office that checks a broadcaster’s credentials once in the morning and issues a stamped, time-limited wristband, rather than making them show ID at every single gate all day. When the broadcaster wants into the commentary box, they show that wristband to a second desk, which issues a specific box pass valid only for the next two hours, and the commentary box staff trust that pass because it was stamped by the same accreditation office they also trust. No one ever asks the broadcaster to say their password out loud again after the first check, exactly how Kerberos avoids resending credentials after the initial ticket is issued.

Step-by-Step Explanation

  1. Step 1

    Initial authentication

    The client authenticates once to the KDC and receives a Ticket-Granting Ticket (TGT) encrypted with a key derived from the password.

  2. Step 2

    Service ticket request

    The client presents the TGT to the Ticket-Granting Service to request access to a specific service.

  3. Step 3

    Service ticket issued

    The KDC issues a service ticket encrypted with a key shared only between the KDC and that service.

  4. Step 4

    Mutual authentication

    The client presents the service ticket to the service, which decrypts it to verify the client, completing mutual trust without a password exchange.

What Interviewer Expects

  • Explains the role of the KDC, TGT, and service tickets
  • Understands that the password never crosses the network after initial setup
  • Mentions time-limited tickets and timestamps preventing replay attacks
  • Connects Kerberos to single sign-on use cases like Active Directory

Common Mistakes

  • Thinking Kerberos sends an encrypted password on every request
  • Confusing the TGT with a service ticket
  • Not knowing Kerberos relies on symmetric-key cryptography and a trusted KDC
  • Forgetting tickets are time-limited, which is why clock skew breaks Kerberos auth

Best Answer (HR Friendly)

Kerberos is a way for you to log in once and then access many different systems without typing your password again and again. A trusted central server checks who you are the first time and hands you a time-limited digital ticket, and each system you visit afterward trusts that ticket instead of asking for your password directly, which is what makes single sign-on at work possible.

Code Example

Obtaining and inspecting a Kerberos ticket
# Authenticate to the KDC and obtain a Ticket-Granting Ticket
kinit alice@EXAMPLE.COM
# Password for alice@EXAMPLE.COM: ********

# List cached tickets, including the TGT and any service tickets
klist
# Ticket cache: FILE:/tmp/krb5cc_1000
# Default principal: alice@EXAMPLE.COM
#
# Valid starting     Expires            Service principal
# 07/18/26 09:00:00  07/18/26 19:00:00  krbtgt/EXAMPLE.COM@EXAMPLE.COM

# Destroy tickets when done
kdestroy

Follow-up Questions

  • What is the difference between a Ticket-Granting Ticket and a service ticket?
  • Why is clock synchronization critical for Kerberos to function correctly?
  • How does Kerberos prevent replay attacks?
  • How does Kerberos compare to certificate-based mutual TLS authentication?

MCQ Practice

1. What does the KDC issue after a client’s initial authentication?

The KDC issues a TGT after successful initial authentication, avoiding repeated password transmission.

2. What cryptographic approach does Kerberos primarily rely on?

Kerberos uses symmetric keys shared with a trusted Key Distribution Center to encrypt tickets.

3. Why are Kerberos tickets time-limited?

Time-limited tickets with timestamps prevent an attacker from replaying a captured ticket later.

Flash Cards

What is Kerberos?A network authentication protocol using a trusted KDC and tickets so passwords never cross the network repeatedly.

What is a TGT?A Ticket-Granting Ticket issued after initial login, used to request service tickets without re-sending the password.

Where does Kerberos shine?Single sign-on in enterprise environments like Windows Active Directory.

Why does Kerberos need synchronized clocks?Tickets carry timestamps to prevent replay attacks; clock skew causes authentication failures.

1 / 4

Continue Learning