Kerberos V5 authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

Kerberos V5 authentication

Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user that is requesting authentication as well as server providing the requested authentication. This dual verification is also known as mutual authentication.

An overview of how Kerberos V5 works

The Kerberos V5 authentication mechanism issues tickets for accessing network services. These tickets contain encrypted data, including an encrypted password, that confirms the user's identity to the requested service. Except for entering a password or smart card credentials, the entire authentication process is invisible to the user.

An important service within Kerberos V5 is the Key Distribution Center (KDC). The KDC runs on each domain controller as part of the Active Directory directory service, which stores all client passwords and other account information.

The Kerberos V5 authentication process works as follows:

  1. The user on a client system, using a password or a smart card, authenticates to the KDC.

  2. The KDC issues a special ticket-granting ticket to the client. The client system uses this TGT to access the ticket-granting service (TGS), which is part of the Kerberos V5 authentication mechanism on the domain controller.

  3. The TGS then issues a service ticket to the client.

  4. The client presents this service ticket to the requested network service. The service ticket proves both the user's identity to the service and the service's identity to the user.

The Kerberos V5 services are installed on each domain controller, and a Kerberos client is installed on each workstation and server.

Every domain controller acts as a KDC. A client uses a Domain Name Service (DNS) lookup to locate the nearest available domain controller. That domain controller then functions as the preferred KDC for that user during the user's logon session. If the preferred KDC becomes unavailable, the system locates an alternate KDC to provide authentication.

For more information on how Kerberos V5 provides authentication, see Kerberos Authentication Technical Reference in the Windows Server 2003 Technical Reference.

For more information about Kerberos, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web site.