Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.
Today it's most commonly known implementation is probably windows where Window clients authenticate to a domain controller, receiving a kerberos ticket in the process. This is a ticket granting ticket. It avoid giving the password upon every creation of a ticket required for using a new service.
Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default although it can be overriden to use TCP as well.
The use in Trustbuilder is as follows.
- A desktop user logs on and requests a TGT from the KDC (or Domain controller in a windows context)
- The user uses a GSAPI enabled browser to go to a webserver in the same domain
- The webserver protected by Trustbuilder notices the lack of authentication and returns a status 401 with a Authorization: Negotiate header a. The browser/client receives the NegTokenTicket in base64 format and decodes it b. The ticket is validated and used to create a new session ticket with the help from the KDC c. The ticket is then passed again to the server and if all is ok the principal is retrieved