Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
The Kerberos architecture is designed around messages exchanged between the following entities:
- Clients that use kerberos services.
- Servers that provide services (The clients and servers are collectively referred to as principals).
- Servers that manage the Kerberos protocol itself. These servers are often called KDCs (Key Distribution Centers), and comprise several modular services.
How Kerberos works
The following image and the steps the follow the image provide the Kerberos workflow.
- User accesses the protected application from a mobile device or through a web browser.
- Web Agent redirects the user to the BMC Atrium Single Sign-On console.
- BMC Atrium Single Sign-On sends to web browser/mobile device a 401 un-authorized request setting the header to “www-authenticate:Negotiate”.
- Web browser/mobile device requests a session ticket from the Key Distribution Center (KDC).
- KDC provides the web browser/mobile device with the necessary Kerberos Ticket (assuming the web browser/mobile device is authorized) wrapped in a SPNEGO (Simple and Protected GSS API Negotiation Mechanism) Token.
- Web browser / mobile device sends to BMC Atrium Single Sign-On the user’s access request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header.
- BMC Atrium Single Sign-On validates the token with KDC.
- KDC validates the token.
- BMC Atrium Single Sign-On creates a session for the user’s access request.
- The user accesses the protected application.
Using MIT Kerberos
MIT Kerberos is a trusted third-party authentication service. It provides a centralized authentication server whose function is to authenticate users to servers and servers to users. It uses symmetric encryption with keys shared with the authentication server. Kerberos keeps a database containing the keys of clients and servers, and uses the keys to authenticate one network node to another. Kerberos also generates temporary session keys to be shared by the two parties in a conversation. All communications between the two parties are then encrypted with the session key.
Using Microsoft Active Directory Kerberos
The Microsoft Windows Server operating systems implement the Kerberos version 5 authentication protocol. Windows Server operating systems also implement extensions for public key authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services running on the domain controller. The KDC uses the domain’s Active Directory directory service database as its security account database. An Active Directory server is required for default Kerberos implementations.