Kerberos is a network authentication protocol that allows for secure authentication across networks. Created in the 1980s as part of the Athena Project at MIT so that clients and servers could communicate securely in a distributed computing environment, Kerberos is still one of the most frequently used strong authentication methods used today.
Named after the Greek mythological three-headed dog, Kerberos works by mutually authenticating clients and servers through a ticketing system, thus the three “heads” are the client user, the server, and the Key Distribution Center (KDC) through which authentication requests travel and are encrypted.
With Kerberos, when a user wants to log in to a server, s/he sends a request (user credentials) to the Authentication Service (AS) of the KDC within their domain. The KDC has access to Active Directory and can thus successfully verify the user’s account information. Once verified, the user is granted a ticket-granting-ticket (TGT). The TGT is sent back to the AS and issued an encryption key (also called a “session key”) from the ticket-granting service (TGS), which is then delivered securely to both parties. The session/encryption key is time-stamped and valid for a set amount of time (usually 8 hours) and allows communications, passwords, and credentials to authenticate securely during that time period.
The main function of Kerberos is to enable mutual authentication – invisibly – for every client-server communication while ensuring the confidentiality and integrity of the data sent.