
Understanding Kerberos Authentication in Active Directory
Kerberos is the backbone of authentication in every Windows domain. Understanding how it works and how it fails is essential knowledge for any AD administrator.
Adrian Garcia
Published 29 June 2026
What Is Kerberos?
Kerberos is a network authentication protocol that uses secret-key cryptography to provide strong authentication for client-server applications. In a Windows Active Directory environment, it has been the default authentication protocol since Windows 2000, replacing the older and weaker NTLM protocol.
The Three Principals
Kerberos involves three parties:
Client: the user or machine requesting access
KDC (Key Distribution Center): a domain controller running the Kerberos service
Service: the resource the client wants to access, such as a file share, web app, or database
The Authentication Flow
Stage 1: Getting a TGT
When a user logs in, their workstation sends an AS-REQ to the KDC. The KDC validates the credentials and responds with a TGT (Ticket Granting Ticket) encrypted with the KDC own key. The client stores this TGT for the session, typically 10 hours.
Stage 2: Getting a Service Ticket
When the user tries to access a resource, the client presents the TGT to the KDC via a TGS-REQ. The KDC issues a service ticket encrypted with the target service key. The client presents this to the service, which decrypts it and grants access.
Why Kerberos Fails
Clock skew: tickets have a 5-minute tolerance. Clocks differing by more than 5 minutes cause
KRB_AP_ERR_SKEW.Missing SPNs: if a service has no registered Service Principal Name, clients cannot request a ticket for it.
DNS failures: Kerberos relies heavily on DNS. If the DC hostname cannot be resolved, it falls back to NTLM or fails entirely.
Delegation misconfigurations: constrained or unconstrained delegation issues surface frequently in multi-tier applications.
Useful Diagnostic Commands
klist # View current Kerberos tickets
klist purge # Clear the ticket cache
nltest /sc_query:YOURDOMAIN # Test secure channel to DC
setspn -L ACCOUNTNAME # List SPNs for an accountConclusion
Kerberos is elegant when it works and maddening when it does not. The clock skew issue catches almost everyone at least once. Keep your time synchronisation solid, your SPNs correct, and your DNS healthy: and Kerberos will rarely give you trouble.