What Are the Advantages of Kerberos Authentication?by Laura Gittins
Kerberos is a network authentication protocol that uses encrypted tickets to pass information over nonsecure networks. Kerberos authentication presents several advantages over other network authentication methods, so that the nodes communicating with each other can trust that the information they're receiving is authentic and reliable, and that future sessions will have the same authenticity.
When two nodes -- such as a client and server or server and server -- begin communications, they pass encrypted tickets through a trusted third-party system called the Key Distribution Center. The KDC passes a secret ticket with a decryption key to both nodes. The nodes then pass encrypted time stamps to each other and use the key to decrypt them. If they do so successfully, they authenticate their counterparts and can trust each other for as long as the session remains open.
When a server attempts to authenticate a client computer using the Kerberos protocol, the client does not have to send a password -- thanks to the mutual authentication, both the client and the server have the necessary information needed to decrypt the tickets. This means that any packet sniffers eavesdropping on the communication will not have access to client or server passwords, let alone any other information passed during the session.
When a client node is authenticated on a Kerberos-supported network, it receives a client ticket with an expiration time stamp. As long as the ticket has not expired, the client can use it to access to any other network service that supports Kerberos authentication without having to re-authenticate itself. If the client's session on the network is still active but the ticket expires, the client may request a new ticket.
Once a client and server have authenticated themselves to one another, they never have to do so again. As part of the mutual authentication, the client receives credentials from the server. When the client initiates a future session, it sends its credentials to the server, which recognizes them and immediately authenticates the client. This eliminates the need for a KDC, so the two nodes can establish a secure connection even faster than they did during their first session.