Kerberos Authentication

If a user wants to obtain access to resources within a Active Directory network, he must obtain a ticket through a 6-step process.

First, he sends a request to the Kerberos Distribution Center (KDC) with his password hash and a timestamp. (AS-REQ)

Second, if the password hash of the user matches that for the user on the KDC, the user receives a Ticket Granting Ticket encrypted and signed by the krbtgt account. (AS-REP)

Third, the TGT, including the krbtgt hash, is sent to the KDC or DC in order to recieve a Kerberos Service Ticket (TGS). (TGS-REQ)

Fourth, the user then receives a TGS encrypted with the hash of the service account he wishes to access. (TGS-REP)

Fifth, the user then connects to the server and attempts to use the service he sent the initial request for with the TGS included. (AP-REQ)

Last, the user gains access and mutual authentication is given between the server and client if necessary (AP-REP).

From PentesterAcademy.com