Designed by Steve Miller and Clifford Neuman, Kerberos version 4 was targeted at the famous Project Athena, a program for delivering high-class features to laptops. It was published in the late 1980s. Later Microsoft used Kerberos as the preferred authentication method in Windows 2000 and other versions.
Nowadays, intranet web applications can also enforce Kerberos as an authentication method for those notable domain-joint clients. For this, they have to use APIs provided under SSPI or Security Support Provider Interface. Some Microsoft add-ons to the suit of protocols of Kerberos are documented in RFC 3244. Now let’s know what the three main parts of Kerberos are. Before that, let’s focus on what Kerberos is.
What is Kerberos?
Authentication is important when we are running a computer communication program. Kerberos is a protocol that helps to authenticate the computer network. It majorly works based on tickets. The tickets help the nodes communicating over a non-secure network. Here, with the help of the Kerberos protocol, the nodes prove their identity securely and safely through a responsible third party. The messages in the Kerberos protocol are protected against any security breaches, including eavesdropping, replay attacks, etc. Let’s know how it works.
Kerberos-What are the 3 Main Parts of it?
The protocol Kerberos comprises three major parts. Together, they help to build the protocol and maintain its workflow. The main parts include:
- Server or Application Server(AP)
- Trusted Third Party or Key Distribution Centre(KDC)
The client is the suit of nodes that finds its identity. On the other hand, the Application Server is the service to be accessed by the client. Also, you can call the client as a User. KDC or Key Distribution Center is the trusted third-party which issues tickets. When it comes to Active Directory, each domain controller acts as a third party providing tickets. KDC offers core services i.e., Authentication Service (AS) and Ticket Granting Service (TGS). AS helps to authenticate clients and issue the tickets. And TGS accepts the already authenticated clients. It allows them to access other necessary resources. In this way, the three main parts of Kerberos works to provide the best authentication service to the application networks.
The Workflow of Kerberos-How it Helps
Well, so, now you have an idea about how Kerberos includes three essential parts in it. After all, you must know how the three parts help computer networks. So, get into the technical details here. Here, let’s talk about the workflow of Kerberos.
First, a client requests a ticket from KDC for a specific service. For this, it has to present its TGT and TGS requests. These requests consist of the names of the service that the client needs to access. Then, the KDC creates a service ticket that is securely protected with the service’s password. After that, it encrypts the ticket and the message of authentication. Finally, it sends the TGS back to the clients.
In the next step, a client presents the service tickets obtained from the KDC to the application server. And, thus, it requests access to an application server. The application server, however, decrypts the message using its own password. Once it decrypts the TGS, the client can easily access the application server.
Important Factors that Influence the Operations of Kerberos
I hope you have a clear idea about what Kerberos is and how it works with its three major parts. Before closing our discussion, let’s look at the essential factors determining how Kerberos will operate.
Replication among the Domain Controllers is a must:
When multiple domain controllers or the KDC are deployed, you must focus on the replication. You have to converge it correctly to ensure the authentication. Failing this may lead to authentication failure. In that case, authentication will be failed at the time of changing the passwords.
NETBIOS and DNS Name Resolution is Important:
All of the clients and KDCs should have the NETBIOS and DNS names. Usually, Kerberos Service Principal Names include NETBIOS and DNS addresses. So, the clients and KDS need to have the ability to resolve the names.
Synchronization of Time among the Clients and KDCs:
It is imperative to synchronize the clocks properly. Otherwise, replay attacks may occur. Usually, for Kerberos, the default period of configurable time skew is 5 minutes. Outside of which, the authentication will fail.
Proper Access to the Networks:
All clients and KDCs must get a chance to access the networks. In general, Kerberos traffic is found on TCP and UDP port 88. Clients and KDS should access this.
Kerberos: A Useful Authentication Protocol
So, we have discussed all you need to know about the popular authentication protocol named Kerberos. We hope it will help you to get a detailed overview of the protocol. Once you get to know about it, you can use it efficiently and correctly. I hope the article has cleared all your doubts regarding it.