Although it is a critical part of Windows Active Directory authentication, the Kerberos protocol is often misunderstood in how it functions.  Because of the critical nature of the protocol to AD, it is crucial that all system administrators know this protocol and the methods available for troubleshooting it.

First, it should be understood that Kerberos is an open standard.  It is defined in RFC 1510.  It is designed to minimize the risk of a malicious user from attacking authentication on the network through man-in-the-middle and replay attacks.

From an infrastructure point of view, the following TCP and UDP ports are required to be open between Active Directory and the client:

• TCP/UDP 53 – DNS
• TCP/UDP 88 – Kerberos ticket-granting service
• TCP/UDP 123 – Network Time Protocol
• TCP 464 – Kerberos password change protocol (not really used after Windows 2000 – still available for KPASSWD protocol for non-Windows systems)

Because of the way in which Kerberos works, it is crucial that the client, server, and authenticator all have the same time.  By default, no system can be more than 5 minutes off of the others involved in the transaction.  This is to prevent replay attacks.

I’ll continue this with Part II – Authentication Basics