Kerberos security concepts

Concepts

Kerberos configuration file

The configuration file contains information that is important for authentication and access. The configuration file contains the key distribution center (KDC) realm and location, supported encryption types, and keytab file location. Clients use the configuration file to authenticate with the KDC and request access to networked services. Kerberos secured services also use the configuration file to locate the keytab file that contains the private key that is associated with it.

Kerberos keytab file

The keytab file contains the principal and encrypted private key that is associated with the principal. The keytab file is created by exporting a principal from the KDC. Using the keytab file, a service can check the authenticity of a client and provide authentication without contacting the KDC.

Key Distribution Center (KDC)

The Key Distribution Center stores user and service principals with their associated key. A combination of either a user name and a password or a service name and a password provide the key. The KDC also provides an authentication server and a server that grants tickets.

Principals

Networked users and Services are known as principals. They authenticate with a Key Distribution Center (KDC).

Realm

The unique range of control that is provided by the KDC. By convention the realm is the DNS domain name that is converted to uppercase.

Service Principal Name (SPN)

The service principal name represents a unique, networked service. For a client to use a Kerberos secured service, the client must authenticate with a KDC and provide the SPN for the service. The ticketing server provides a ticket to the client that allows it to authenticate itself to the service.