Kerberos is a network authentication protocol that uses tickets to allow nodes communicating over an insecure network to prove their identity securely. Developed at MIT and adopted as the default authentication protocol in Windows Active Directory, Kerberos enables single sign-on without transmitting passwords across the network.
When a user authenticates, they receive a Ticket Granting Ticket (TGT). When they need to access a specific service, they present the TGT to receive a service ticket the service validates without contacting the Key Distribution Center for every request. Attackers target Kerberos through Pass-the-Ticket and Kerberoasting attacks.
CISSP Relevance
Kerberos is covered in Domain 5 (Identity and Access Management) as a fundamental authentication protocol. CISSP candidates must understand the Kerberos authentication flow, the role of the KDC, common attack vectors, and how Kerberos supports single sign-on in enterprise environments.
External reference: NIST Glossary Kerberos
Related terms: Single Sign-On, Authentication