Kerberos

Kerberos is a ticket-based authentication protocol designed for networks where the communication channel is not trusted. A central component called the Key Distribution Center (KDC) issues tickets after verifying a user’s credentials. The user first obtains a Ticket Granting Ticket (TGT) by authenticating with the KDC. To access a specific service, the user presents the TGT to the KDC and receives a service ticket. That service ticket is then sent to the target service, which validates it without needing to contact the KDC again.

Because passwords are never sent over the network after the initial authentication, and because tickets are time-limited and encrypted, Kerberos provides mutual authentication between clients and services. It is the default authentication protocol in many enterprise environments and operating systems.

For CIAM, Kerberos itself is rarely customer-facing, but understanding it matters when a CIAM platform must bridge customer identities into enterprise environments that rely on Kerberos-based infrastructure.

Sources

• IETF RFC 4120, The Kerberos Network Authentication Service (V5): https://datatracker.ietf.org/doc/html/rfc4120