Back in 1999, I wrote a book on Windows 2000 Server in general, and Active Directory in particular. I try not to look back at what I wrote about AD back then compared to what I know now, but I remain fond of a passage that explained how the Kerberos security protocol works – using an analogy of a company party in a hotel ballroom. Even though OAuth2 and OpenID Connect are the current darlings of the security world, most of the on-premises enterprise world still depends on Kerberos every second of every day.
I think an analogy that involves a party is more conducive to learning a dry subject like Kerberos. So, I’ve modernized my example a little and polished it up to share with you here. Kerberos handles both authentication and authorization in Active Directory. Technically speaking, Kerberos is an authentication protocol, but Microsoft sticks authorization data (SIDs) into the PAC field of the Kerberos ticket for services (AD-integrated resources such as file shares or applications such Exchange or SharePoint) to consume.
Kerberos at the Company Party
Imagine you go to a large company party where alcohol is served, and it’s an open bar1. It’s been advertised as a science fiction-themed party (hey, it’s a tech company), and each bar area in the ballroom where the party is being held is decorated with a particular sci-fi theme such as Forbidden Planet, The Day The Earth Stood Still, Star Wars, etc., and staffed with cosplaying bartenders).
You walk up to the ballroom entrance, and there’s one of those velvet-skirted tables in front with a big banner on it that says, “Key Drink Center”. To get into the party, you must show your driver’s license (the Authentication Service Request containing your password) to the people working the table (the Key Distribution Center, or KDC).
You hand your license (current time, encrypted with the hash of the password you entered) over to a person holding an invitation list; he looks at you, looks at your license, and looks at the party’s invitation list. If your name matches a name on the invitation list (user exists in the directory) and you look like the person in the driver’s license photo (your entered password hash matches the password hash for the user name on the DC), you can enter the party (you’re authenticated).
Now that you’re allowed into the party, the person sitting next to the list checker stamps your hand (the Ticket Granting Ticket, or TGT). It’s good for ten hours – this will be quite a party! Next…
The next person at the table asks you if you’d like to visit a particular bar area (a service). You’ve heard that the Hitchhiker’s Guide to The Galaxy bar will be featuring a Pan Galactic Gargle Blaster, so you ask for that bar (service principal name, or SPN). They can see your hand stamp, so they give you a ticket (the service ticket) to give to the bartender at the HHGG bar. This ticket is also good for ten hours. If your license indicates you’re over 21, they will also stamp this on the back of the ticket.
Armed with your bar ticket, you head into the party.
Heading straight for the HHGG bar to get service, you present the ticket to the three-headed bartender. He sees it’s for his bar (authentication to the service), flips it over and sees that it has a stamp that states you’re over 21 (the PAC field in the service ticket contains a SID that matches an ACE for the service) and thus authorized to get an alcoholic drink. He nods his heads and hands it back to you (remember, it’s good for unlimited access for the next ten hours). He whips up a Pan-Galactic Gargle Blaster and serves it to you.
From then on, if you need another drink (and caution is advised if you’re ordering a PGGB), you simply present the HHGG bartender with your service ticket, and he’ll make you another drink. Note that you can only drink from the HHGG bar with that ticket; if you want Gort to make you a drink (he’s pretty clumsy and keeps breaking glasses) you must go back to the front table and get a Day The Earth Stood Still service ticket.
This party drink system is a bit overhead intensive, but it ensures that:
- Only people on the guest list can attend
- No party crashers can sneak in, as identity must be verified
- Partygoers choose a specific bar
- Only over-21 partygoers are authorized to get an alcoholic drink
- The party will definitely end after 10 hours
Of course, you can only stretch this analogy so far, so don’t look too close; see Brian Desmond’s detailed article on the Active Directory Kerberos authentication / authorization process for the gory details. But I think that it does a decent job of explaining AD authentication with Kerberos ticket exchanges, authorization, and time-to-live values. And I know that every IT profession that has attended a conference is well familiar with attending a party in a conference ballroom!
1My kind of party.
*** This is a Security Bloggers Network syndicated blog from Semperis authored by Sean Deuby. Read the original post at: https://www.semperis.com/kerberos-authentication-active-directory/