Kerberos Sequence Diagrams
These diagrams trace the Kerberos AS / TGS / AP ticket exchange. For a worked example on a real capture, see how VisualEther walks an Active Directory Kerberos trace and flags RC4 tickets exposed to Kerberoasting.
Kerberos allows the users to login once and then automatically get logged into all the services they may need. The mechanism used here is similar to the steps you have to take to purchase food at a stall at a fair:
- You pay cash and get a ticket specifying the amount you paid.
- You then take your ticket to another stall where you present the ticket and get tokens for individual items that you ordered.
- Now you visit individual stalls, present the token and collect the food item.
Authentication is Kerberos is very similar:
- Authenticate yourself with the Authentication Server and get a "Ticket Granting Ticket".
- Present the "Ticket Granting Ticket" to the "Ticket Granting Server" and get a Service Ticket
- Present the Service Ticket and get the requested service.