Kerberos is an authentication protocol that supports the concept of Single Sign-On (SSO). Having authenticated once at the start of a session, users can access network services throughout a Kerberos realm without authenticating again. Kerberos achieves this through the use of ‘tickets’ (which prove the identity of one Kerberos ‘principal’ to another) and ‘Key Distribution Centres’ (KDCs, which are responsible for issuing tickets).

There are three notable Open Source implementations of Kerberos: MIT Kerberos, Heimdal, and GNU Shishi. Kerberos is also one of the technologies on which Microsoft Active Directory is based. Network services that are capable of using Kerberos for authentication include SSH, HTTP, IMAP, NFSv4 and LDAP.

Kerberos support is often provided via an intermediate mechanism such as GSS-API and/or SASL. For this reason, clients and servers that are capable of authenticating using Kerberos do not necessarily mention it by name in their documentation. In the specific case of HTTP, other relevant terms include SPNEGO, ‘integrated authentication’ and ‘negotiate authentication’.


See also

Further reading