Kerberos Authentication Protocol

The Kerberos authentication protocol defines the interactions between a client and network Authentication Service known as a Key Distribution Center (KDC). Windows NT implements a KDC as the authentication service on each Domain Controller. The Windows NT Domain is equivalent to a Kerberos realm, but will continue to be referred to as a Domain. The Windows NT Kerberos implementation is based on the Internet RFC 1510 definition of the Kerberos protocol.² The Kerberos client run time is implemented as a Windows NT security provider based on the Security Support Provider Interface (SSPI). Initial Kerberos authentication is integrated with the WinLogon single-sign on architecture. The Kerberos server, or KDC, is integrated with existing Windows NT security services running on the Domain Controller and uses the Windows NT Directory Service as the account database for users (principals) and groups.

The Kerberos authentication protocol enhances the underlying security features of Windows NT and provides the following features:

• Faster server authentication performance during initial connection establishment. The application server does not have to connect to the domain controller to authenticate the client. This allows application servers to scale better when handling a large number of client connection requests.
• Delegation of authentication for multitier client/server application architectures. When a client connects to a server, the server impersonates the client on that system. But if the server needs to make a network connection to another backend server to complete the client transaction, the Kerberos protocol allows delegation of authentication for the first server to connect on behalf of the client to another server. The delegation allows the second server to also impersonate the client.
• Transitive trust relationships for interdomain authentication. The user can authenticate to domains anywhere in the domain tree because the authentication services (KDCs) in each domain trusts tickets issued by other KDCs in the tree. Transitive trust simplifies domain management for large networks with multiple domains.

The Kerberos Version 5 authentication protocol defined in RFC 1510 has gone through a wide industry review and is well known in the security interest groups.

² "The Kerberos Network Authentication Service (V5)," J. Kohl and C. Neumann, Internet RFC 1510, September, 1993.