Kerberos is the default protocol for authenticating service requests between trusted devices on a network. It’s been used since Windows 2000 and is a critical part of Windows Active Directory (AD) services and environments.
When a user logs into their PC, Kerberos is used to authenticate them via mutual authentication. Both the user and the server verify their identity. Kerberos is a stateless authentication protocol—it is based on tickets instead of transmitting user passwords over the network.
Passwords Model
Kerberos Model
The three heads of Kerberos protocol
Principal: The principal is the identity that wishes to authenticate. It is the identity you use to log on to Kerberos. This can refer to a User Principal or to a Service Principal. A User Principal would be a user to be authenticated, such as Client@UNDERWORLD.CORP- In this example, Client is the user with the Principal of Client in the realm UNDERWORLD.CORP.
<aside>
ℹ️ A Service Principal represents a common service, such as an HTTP server or a file share. Consider HTTP/[email protected] as a Service-Principal; This specific Service Principal pertains to an HTTP server operating within the UNDERWORLD.CORP realm.
For more details see below. 👇🏻
</aside>
Within this Service Principal, "HTTP" serves as the identifier for the HTTP service, hadesshares.underworld.comsignifies the fully qualified domain name (FQDN) of the web server, and UNDERWORLD.CORP designates the realm where this particular HTTP server is situated.
Resource: In the context of Kerberos, a resource refers to the networked asset or service a client aims to reach. This may encompass network services, systems, or data that a user or service seeks to interact with upon successfully completing the authentication process.
Key Distribution Center (KDC): A central component in Kerberos authentication. The KDC is responsible for managing authentication and distributing session keys in a realm.
Users and Services which are used through the Kerberos authentication process are called principals.
These principals should have a specific formatted name that complies with Kerberos requirements You should differentiate between:
UPN which is the user's principal name. The UPN consists of the SAMAccountName of user account followed by the domain to which it belongs:
SPN which is the Service principal name. A service is a feature, a software, something that can be used by other members of the AD. To identify a service, we need at least two things:
It is by combining these information that we can accurately designate a service.
It looks like this: service_class/hostname_or_FQDN
Optionally, you can name a SPN: service_class/hostname_or_FQDN:port/arbitrary_name
For Example, if I have two hosts offering web services, WEB-SERVER-01 and WEB-SERVER-02, and each of these two machines offers other services.
I want to designate the web server on WEB-SERVER-01, the SPN looks like this:
www/WEB-SERVER-01 or www/WEB-SERVER-01.adsec.local
When we want to connect to a machine in RDP, the TERMSRV service class is queried:
There is a special case that we encounter in SPN attributes of an object in AD, it is the HOST SPN. HOST SPN is not really a service class. It’s a group of service classes, a kind of alias that groups together many SPNs:
Get-ADObject -identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=cybercorp,DC=lab" -properties sPNMappings
Realms in Kerberos are a way of logically grouping resources and identities that use Kerberos. This means that we can group users, services, devices, or any entity that requires authentication and authorization in realms. Using the Windows slang realms are like domains.