Kerberos - What it is, how tickets work, and setup best practices

Kerberos

What it is

Kerberos is a ticket-based login system that lets users and services prove who they are on a network without sending passwords. It uses a trusted Key Distribution Center (KDC) to hand out encrypted tickets so both sides can verify each other safely. Common in Windows domains and many enterprise apps.

Why it matters

Kerberos gives you strong, mutual authentication and reduces password exposure on the wire. That means fewer chances for credential theft and easier single sign-on across company services.

How it works - quick tour

  • Sign in once: you authenticate to the KDC and receive a Ticket-Granting Ticket (TGT).

  • Ask for access: when you open an app, you request a service ticket from the KDC.

  • Prove and connect: your device shows the service ticket to the app, which verifies it and lets you in.

  • Time bound: tickets expire, limiting damage if one is stolen.

Quick notes

  • Kerberos uses symmetric encryption under the hood.

  • Modern deployments prefer AES, not the older DES.

  • Accurate time sync is required or logins can fail.

Best practices

  • Enforce strong passwords and MFA where supported.

  • Keep domain controllers and clients patched and clocks in sync.

  • Limit service account privileges and rotate keys regularly.

  • Monitor for suspicious ticket use, like Pass-the-Ticket attempts.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • MFA (Multi-Factor Authentication)

        What it is Multi-Factor Authentication (MFA) adds an extra check when you sign in, so it is not just a password. You confirm with something you know (password) plus something you have or are. For a short primer, see our MFA explainer. Why it matters ...

      • Form-Based Authentication

        What it is Form-based authentication is the login box you see on most websites. A page asks for your username and password, then the app checks them and signs you in if they match. How it works - quick tour You enter credentials in a web form and ...

      • Local Area Network (LAN)

        What it is A Local Area Network (LAN) connects computers and devices in a small area like a home, office, or school. Devices talk to each other through ethernet cables or Wi-Fi, sharing files, printers, and internet access. Why it matters A good LAN ...

      • Security Software

        What it is Security software is a set of apps and services that protect your devices and data from hackers, malware, and mistakes. It covers tools like antivirus/anti-malware, firewalls, VPNs, email and web filters, intrusion detection/prevention, ...