One way to think of using Kerberos is to think of going to an amusement park. When you arrive at the park, you go to the main gate. You then proceed to the main ticket booth (the authentication server in the key distribution center) and purchase an all-day pass to the park (a ticket-granting ticket). You receive a purple wristband (because purple is the color for Wednesday) that indicates that you have paid your fee for that day and you have full access to the park. The colored wristband is good for all day. While in the park, you must purchase additional tickets for the rides. You walk up to a ticket booth (ticket-granting server) and the attendant notices that you have a purple wristband. You tell her you are wanting to ride the roller coaster. She issues you a ticket (session ticket) for the roller coaster. When you get to the roller coaster, the roller coaster attendant sees your purple wristband and accepts the ticket issued to you by the ticket seller. The roller coaster attendant does not need to check with the ticket seller because that is the only place you could have obtained that ticket. At the end of the day, when the park closes, the purple wristband for Wednesday no longer authenticates you. The wristband color for Thursday is orange. You also noticed that you did all the work. None of the ticket sellers or ride operators communicated with each other. It was up to you to procure tickets and walk around and distribute them. This is exactly the model as designed by MIT for Kerberos.

I was trying to understand the flow of the tickets and the keys for kerberos authentication process. This is the easiest explanation I found. It is clear now how it works, in my case for an SMB File share resource sharing. Thanks

The best explanasion how kerberos is works! Thank you!

Thanks for a great video. Very clear.

This is one of the best detailed explanations for KCD in KZfaq.

Super helpful ...Thank you for clearing the concept !!

Best explanation on all of KZfaq. Kudos.

amazing explanation

nice backwards writing skills

I would be happy to know when you think you will publish the parts 2 & 3

8:34 double encrypted with service key and client key, but the session key is stored inside this double encryption, right? How will the client know that session key? I am assuming that "session key" is the key used to later encrypt all communication between client and server. If not, what happens when somebody intercepts the server ticket, when it is being sent to the server by the client, and then uses it for himself.

Good video, will be waiting for the f5 APM part

After SPNs were explained in a nutshell the rest of the video's req/rep mentions nothing about SPNs. Would be nice if it did.

Waiting for other 2 videos

Thanks!

Informative

Thanks I like the video, but I have a little question: At 7:53, the session key meant to be used between the client and the service provider (principal) is encrypted using the secret key shared between the TGS and the Service Provider, but how does the client know the session key? If it is encrypted with a key only the principal and the TGS know, the client cannot decrypt it. Which part did I miss? How does the client learn about the session key? Is it just added and "one-time-encrypted" using the shared key between the client and the TGS? Thanks!

What about Java JAAS and thousands of threads requests? Nobody talks about Java but TGS are always lost in subject. How to workaround?

Great video! But I don't believe the "Kerberos Tray" is a commonly recognized term in the context of the Kerberos authentication protocol.

Nice!

How do the private keys get distributed to the different places in the first place? thx

nice

Good explanation i can see a little better what data transfer protocols are most about.. Cryptography

Do you make your shirt with backwards logos or is he actually writing backwards?

Waiting for Part2,3

Dear can i know the mathematical function/ algorithms for kerberos v5 .

Do you know any live working example of KERBEROS?

My system is sending user as domain\UserID format using Kerberos but need to send only user as UserID format to grant access. How to remove this domain name from user using Kerberos configuration? Anyone having any idea on this? Thanks for helping

Are you writing backwards?

What is AS in AS Req? And What is AP in AP Req? Someone kindly elaborate please..

Could you please explain why ticket is getting large when users are memer of multiple groups?

Hi, can you please make a video on ssl vpn via apm module please ?

Is he writing backwards so we can read it forwards?

squeak squeak squeak

Not to be nick-picky here, but I think it would help to mention the role of NTP servers being used to avoid running beyond MaxClockSkew

sound too difficult to hear.

Poorly explained...!!! incoherent!!! !!!!