Kerberos
Kerberos is an authentication protocol that uses time-limited tickets to allow clients and servers to authenticate each other over untrusted networks without sending passwords. It is the foundation of enterprise network authentication within Active Directory domains.
# WHAT TEAMS RUN INTO
- —
Kerberos requires synchronized clocks. If client and server clocks are out of sync by more than a few minutes, authentication fails silently and mysteriously.
- —
Kerberos tickets can be stolen and replayed. If an attacker captures a Kerberos ticket, they can use it to impersonate the user until the ticket expires, and Kerberos doesn't invalidate stolen tickets in real time.
- —
Kerberos is designed for enterprise networks, not cloud. Modern hybrid and cloud environments don't have the synchronized network infrastructure that Kerberos depends on, and Kerberos authentication fails or requires complex bridges.
# WHY IT MATTERS
Kerberos is the foundation of enterprise network security within Windows domains. It moved authentication away from sending passwords across the network — a massive security improvement. But Kerberos makes strong assumptions about network infrastructure, clock synchronization, and trusted servers that don't always hold in modern environments. When Kerberos works, it is invisible and powerful. When it breaks, it breaks mysteriously.