Kerberos Authentication Overview

Kerberos authentication involves three primary participants: the logged in user on the client machine, the Key Distribution Center (KDC), which is generally on the domain controller, and a server’s service that the client user is attempting to access. The KDC, consists of two parts, the Authentication Service and the Ticket Granting Service (TGS). Once the Authentication Service ensures the user is a valid user, the TGS provides the user with a Ticket-Granting-Ticket (TGT) for the local domain. The TGT allows the client to get a service ticket critical in the authentication process between the client and the service. The client must also know the Service Principle Name (SPN) of the server’s service to locate the service and complete the authentication process.

An SPN (Service Principal Name) is a name that a client application uses to definitively identify an instance of a service. Microsoft introduced SPNs to make communicating with specific services more secure and manageable. The PI AF Application Service requires SPNs in order to support Kerberos authentication between the PI AF clients and the PI AF server.

Kerberos allows for the delegation of a client’s service ticket from a service on one machine to a service on another machine. Kerberos delegation may be required in various PI AF deployments. Refer to the “PI AF and Kerberos delegation” section for more information. For a detailed explanation of Kerberos, there are many sources of information on the Internet, a few of which are the following Microsoft articles:

• Kerberos Explained

• What Is Kerberos Authentication?

• Kerberos Authentication Overview