Summary: Kerberos is a ticket-based authentication protocol using a trusted Key Distribution Center; it provides mutual authentication without transmitting passwords over the network.
- Client: User or computer account seeking access to a service
- KDC (Key Distribution Center): Runs on every DC; split into AS and TGS components
- Service: The resource being accessed, identified by a Service Principal Name (SPN)
- Client sends AS-REQ to the KDC Authentication Service with its username and a timestamp encrypted with its password hash (pre-authentication)
- KDC verifies pre-auth, issues AS-REP containing:
- TGT — encrypted with the KDC's own key (krbtgt account hash); client cannot read it
- Session key — encrypted with the client's password hash; client decrypts this
- Client caches the TGT and session key in memory
Clock skew tolerance is 5 minutes (default). Exceeding this causes KRB5KDC_ERR_SKEWED and authentication fails.
- Client sends TGS-REQ to the KDC Ticket Granting Service containing:
- The cached TGT (proves identity to KDC without re-entering credentials)
- SPN of the target service
- KDC decrypts TGT, validates it, and issues TGS-REP containing:
- Service ticket — encrypted with the service account's password hash; only the service can decrypt it
- New session key — for client-service communication
- Client presents the service ticket in an AP-REQ to the target service
- Service decrypts ticket with its own password hash, reads client identity and PAC
- Authentication complete; session established
- Optional: service sends AP-REP to prove its own identity to the client (mutual authentication)
- Issued by the AS (KDC) during phase 1
- Encrypted with krbtgt account password hash — only KDC can decrypt it
- Default lifetime: 10 hours, renewable for 7 days
- Used as proof of identity when requesting service tickets — no password re-entry needed
- Issued by the TGS during phase 2
- Encrypted with the target service account's password hash
- Default lifetime: 10 hours
- Contains the PAC with user's group memberships
The PAC is embedded inside service tickets and contains:
- User's SID and UPN
- Group SIDs (direct and transitive group memberships)
- Domain information and logon time
- Signatures from both KDC and domain controller
Services validate the PAC to make authorisation decisions (what the user is allowed to do). PAC validation failure causes access denied even if the ticket is valid.
An SPN is the unique identifier for a Kerberos-enabled service. Format:
ServiceClass/hostname@REALM
ServiceClass/hostname:port@REALM
Examples:
CIFS/fileserver.example.com@EXAMPLE.COM
HTTP/webapp.example.com@EXAMPLE.COM
MSSQLSvc/sql01.example.com:1433@EXAMPLE.COM
- The client includes the SPN in the TGS-REQ to tell the KDC which service it wants
- The KDC looks up the SPN, finds the associated service account, and encrypts the service ticket with that account's password hash
- If the SPN is missing, duplicated, or mapped to the wrong account, authentication fails with
KRB_AP_ERR_MODIFIED or KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
¶ Checking and Fixing SPNs
List SPNs for an account:
setspn -l hostname
setspn -l domain\serviceaccount
Check for duplicate SPNs across the domain:
setspn -X -F
Add a missing SPN:
setspn -a HTTP/webapp.example.com domain\webappaccount
Remove an incorrect SPN:
setspn -d HTTP/webapp.example.com domain\wrongaccount
Kerberos requires system clocks to be within 5 minutes (default MaxClockSkew). This prevents replay attacks using captured tickets.
- DCs sync to the PDC Emulator FSMO role holder
- PDC Emulator syncs to an external NTP source
- Domain members sync to their authenticating DC
If clocks drift: W32TM /query /status shows current time sync state.
Force re-sync:
w32tm /resync /force
| Error |
Meaning |
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN |
User account not found or disabled |
KRB5KDC_ERR_PREAUTH_FAILED |
Wrong password or clock skew during AS-REQ |
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
SPN not found — check setspn |
KRB5KDC_ERR_SKEWED |
Clock difference exceeds max skew — check NTP |
KRB5KDC_ERR_TKT_EXPIRED |
TGT or service ticket expired — request new ticket |
KRB_AP_ERR_MODIFIED |
Service ticket decryption failed — SPN mapped to wrong account |
KRB5KDC_ERR_WRONG_REALM |
Realm mismatch — check forest trust or UPN suffix |