Note in the above diagram, the challenge is just a 16 byte random number, so the client then just encrypts it with the password hash of the user and returns it. Then, in step 5, the DC obtains the password hash for the user and then uses it to encrypt the original challenge. If this matches the original response from the client then the DC sends the server confirmation that the user is authenticated.
Breaking this down further:
- When a user attempts to log on to client, the kerberos service on the client sends a kerberos authentication request to the KDC. This request will contain user name, service information for which the TGT is requested, and a time stamp that is encrypted with the user password.
- The DC will decrypt the timestamp with the user password that it gets from AD. If the timestamp is then valid, the user is genuine. The KDC will then create a logon session key, and encrypts the copy with the user password. The authentication service then creates a TGT which includes user info and the logon session key. The authentication service will then encrypt the TGT with its own key and passes both the encrypted session key and encrypted TGT to the client.
- The client will then decrypt the logon session key using the user password and caches it locally. Also stores the encrypted TGT in its cache. When accessing a network service, the client will send a request to the KDC ticket granting service (TGS) with information that includes the user name, an authenticator message encrypted using the user's session key, the TGT and the name of the service that they want to access.
- The TGS on the KDC decrypts the TGT using its own key and extracts the logon session key. Using this logon session key it can decrypt the authenticator message (which is usually a timestamp). If this authenticator message is successfully decrypted, the TGS extracts user info from the TGT, and using this user info will create a service session key for accessing the service. One copy of the service session key is encrypted with the user's logon session key, and a service ticket is then created with the service session key and the user info. The service ticket is then encrypted with the server's password. The TGS then sends the encrypted service session key and service ticket to the client.
- When the client accesses the service, it sends a message to the server containing the authenticator message (timestamp) which is encrypted using the service session key and the service ticket.
- The server decrypts the service ticket and extracts the service session key, which it then uses to decrypt the authenticator message. It evaluates this. If the authenticator passes the test, the server encrypts the authenticator message using the service session key and then passes the authenticator back to the client. The client decrypts it and if it is the same as the original the service is genuine and the client proceeds with the connection.
- Mutual authentication - so client is assured that the service is not being impersonated.
- Delegation support - servers that authenticate clients using kerberos can impersonate those clients and use their security context to access network resources.
- Better performance than NTLM.
- In multiple domains, point to point trust relationships are not required.
These enable mutual authentication, and allow clients to request tickets to then communicate with a particular service.
SPNs in AD maintain a mapping between the constructed name e.g. MyService/MyServer:1879 and the domain account under which the service you want is running. For this to be impersonated, an attacker would need to disable the real service and remove the actual server from the network. They'd then need to add a new computer with the same name and expose the duplicated service. Since Kerberos v5 uses mutual authentication, the client will not be able to use the duplicated service unless it knows the password for the domain account under which the actual service is configured to run.