Kerberos Pre-Authentication


Kerberos Pre-Authentication is a concept within Kerberos.

Kerberos Pre-Authentication is defined in RFC 6113 and an IANA Registry for Pre-authentication and Typed Data

Kerberos Pre-Authentication is a security feature which offers protection against password-guessing attacks. The AS request identifies the client to the KDC in Plaintext. If Kerberos Pre-Authentication is enabled, a Timestamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash, which is available in the Microsoft Active Directory, to decrypt the Timestamp, the KDC knows that request isn't a replay of a previous request.

Without Kerberos Pre-Authentication a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline. Upon checking the KDC logs, nothing will be seen except a single request for a TGT. When Kerberos timestamp Kerberos Pre-Authentication is enforced, the attacker cannot directly ask the KDCs for the encrypted material to Brute-Force offline.

More Information#

There might be more information for this subject on one of the following: