Description

This article explains Kerberos authentication basics in an easily understood manner.

Scope

FortiGate, FortiProxy.

Solution

Kerberos is a very common authentication mechanism in Windows AD environments and usually happens in the background, without a user's active input required. Other operating systems that interact with a Windows domain are also frequently able to interact with Kerberos authentication to perform user authentication in the background.

FortiGate and FortiProxy, for example, can use Kerberos as an authentication method for explicit proxy setups and trigger authentication without the user being required to enter their credentials.

Kerberos consists of multiple components:

• Key Distribution Center (KDC): This consists of two parts - the Authentication Server and the Ticket Granting Server. It is typically a domain controller.
• Authentication Server: This authenticates the account, and issues the Ticket Granting Ticket (TGT).
• Ticket Granting Server/Service (TGS): This checks an account's permissions, and issues a Service Ticket (ST) and session key.
• Ticket Granting Ticket (TGT): This ticket is by an account to request access to a service with the Ticket Granting Server; it is encrypted by the Authentication Server.
• Service Ticket (ST): This ticket is issued by the Ticket Granting Server to allow an account access to a service; it is encrypted by the Ticket Granting Server.
• Session Key: A symmetric key generated to encrypt connections between various participants in Kerberos authentication.
  • TGS session key: A session key to encrypt connections to the Ticket Granting Server, shared with users and part of the Ticket Granting Ticket, issued by the Authentication Server.
  • Service session key: A session key to encrypt connections to the service and part of the Service Ticket, issued by the Ticket Granting Server.
• Principal Name: A user/service/host name that identifies a user, service or host to other Kerberos participants.
• Keytab: A long-term unique key associated with a principal name, known to the holder of the key and the Authentication Server and/or Ticket Granting Server.

Kerberos authentication can be roughly split into two parts: Authentication, and Service Access.

Authentication consists of the user authenticating themselves to the Authentication Server and receiving a Ticket Granting Ticket. Steps 1-3 below deal with the actual authentication.

Service Access consists of the user trying to access a service (like an explicit proxy, a network drive, or similar) and acquiring a Service Ticket to be granted access. Explicit proxy authentication in a FortiGate would fall into this part. Steps 4-8 below cover service access.

1. The user (or their host automatically) connects to the Authentication Server (Key Distribution Server) to validate credentials and receive a Ticket Granting Ticket.

2. The Authentication Server verifies the credentials.

3. The Authentication server returns a Ticket Granting Ticket and the (encrypted) TGS session key for connections to the Ticket Granting Server. 

Note:

The TGS session key is encrypted with the user's keytab.
The TGT is encrypted with the Ticket Granting Service's keytab, and CANNOT be decrypted by the user, only the Ticket Granting Service. The TGT contains the same TGS session key.

The TGT has a limited lifetime and is usually renewed automatically when it expires.

4. The user wants to access a service, but it requires Kerberos authentication - a Service Ticket. This is where Fortinet services like Explicit Proxy get involved.

5. The user connects to the Ticket Granting Server to request a Service Ticket for the Service Principal Name and presents the Ticket Granting Ticket and encrypted user information.

Note: 
The user information is encrypted with the TGS session key. The TGT is (still) encrypted with the TGS' keytab. The TGS can decrypt the TGT and retrieve the TGS session key from it.

The TGS can use the retrieved TGS session key to decrypt the user information.

The user information contains a timestamp and is rejected if there is a significant time difference between the user's timestamp and the server's system time.

6. The Ticket Granting Server checks the user's permissions to determine if they may access the service.

7. The Ticket Granting Server issues a Service Ticket and an encrypted  Service session key for a connection to the service.

Note:

The Service session key is encrypted with the TGS session key. The Service Ticket is encrypted with the service's keytab and contains the same Service session key.

8. The user presents the Service Ticket and encrypted user information to the service, which, if everything is correct, grants access.

Note:

The user information is encrypted with the Service session key.

The Service Ticket is (still) encrypted with the service's keytab. The service can decrypt the Service Ticket and retrieve the Service session key from it.

The service can then use the Service session key to decrypt the user information. The user information contains a timestamp and is rejected if there is a significant time difference between the user's timestamp and the service's system time.

Related documents:

Wikipedia: Kerberos (protocol)

Technical Tip: FortiGate explicit proxy authentication with Kerberos  

Fortinet Cyberglossary: Kerberos