ArticlesUnderstanding Kerberos Authentication in Active Directory
Active Directory

Understanding Kerberos Authentication in Active Directory

Kerberos is the backbone of authentication in every Windows domain. Understanding how it works and how it fails is essential knowledge for any AD administrator.

A

Adrian Garcia

Published 29 June 2026

What Is Kerberos?

Kerberos is a network authentication protocol that uses secret-key cryptography to provide strong authentication for client-server applications. In a Windows Active Directory environment, it has been the default authentication protocol since Windows 2000, replacing the older and weaker NTLM protocol.

The Three Principals

Kerberos involves three parties:

  • Client: the user or machine requesting access

  • KDC (Key Distribution Center): a domain controller running the Kerberos service

  • Service: the resource the client wants to access, such as a file share, web app, or database

The Authentication Flow

Stage 1: Getting a TGT

When a user logs in, their workstation sends an AS-REQ to the KDC. The KDC validates the credentials and responds with a TGT (Ticket Granting Ticket) encrypted with the KDC own key. The client stores this TGT for the session, typically 10 hours.

Stage 2: Getting a Service Ticket

When the user tries to access a resource, the client presents the TGT to the KDC via a TGS-REQ. The KDC issues a service ticket encrypted with the target service key. The client presents this to the service, which decrypts it and grants access.

Why Kerberos Fails

  • Clock skew: tickets have a 5-minute tolerance. Clocks differing by more than 5 minutes cause KRB_AP_ERR_SKEW.

  • Missing SPNs: if a service has no registered Service Principal Name, clients cannot request a ticket for it.

  • DNS failures: Kerberos relies heavily on DNS. If the DC hostname cannot be resolved, it falls back to NTLM or fails entirely.

  • Delegation misconfigurations: constrained or unconstrained delegation issues surface frequently in multi-tier applications.

Useful Diagnostic Commands

klist                          # View current Kerberos tickets
klist purge                    # Clear the ticket cache
nltest /sc_query:YOURDOMAIN    # Test secure channel to DC
setspn -L ACCOUNTNAME          # List SPNs for an account

Conclusion

Kerberos is elegant when it works and maddening when it does not. The clock skew issue catches almost everyone at least once. Keep your time synchronisation solid, your SPNs correct, and your DNS healthy: and Kerberos will rarely give you trouble.