Share via

Kerberos Key Distribution Center

Applies To: Windows Server 2008

The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS).


The following is a list of all aspects that are part of this managed entity:

Name Description

Active Directory Domain Services Replication Availability

The Kerberos Key Distribution Center (KDC) uses a key ticket version to ensure that the keys are current across domain controllers acting as KDCs. The key ticket version is replicated to the other domain controllers by using Active Directory Domain Services (AD DS) replication.

Active Directory Domain Services Trust Configuration

Active Directory Domain Services (AD DS) trusts are used to establish trust relationships between different Kerberos realms so that Kerberos clients can access resources.

KDC Certificate Availability

Kerberos uses certificates to encrypt communication between the Kerberos client and the Kerberos Key Distribution Center (KDC).

KDC Encryption Type Configuration

Kerberos allows certain encryption types that can be used to encrypt Kerberos tickets. Other encryption types can be configured for Kerberos clients that do not support the default encryption types.

KDC Password Configuration

The Kerberos ticket-granting ticket (TGT) is enciphered with the Kerberos Key Distribution Center (KDC) account's password. The TGT is issued to the Kerberos client from the KDC.

KDC Service Availability

A Kerberos Key Distribution Center (KDC) is a network service that accepts requests for tickets from Kerberos clients, validates their identity, and grants tickets to them.

Kerberos Key Integrity

Kerberos keys are created by the Key Distribution Center (KDC) and derived from the password of the user account. These keys are used by the Kerberos client to communicate with the Kerberos KDC in a secure manner.

Kerberos Smart Card Authentication

Kerberos authentication can be accomplished by using smart card authentication.

Privilege Attribute Certificate Configuration

The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. This certificate is transferred to the client by using the Key Distribution Center (KDC).

Security Accounts Manager Availability

The Security Accounts Manager (SAM) database on the Kerberos client is used to authenticate requests from the Kerberos Key Distribution Center (KDC). The SAM database must be available for the Kerberos client authentication request to succeed.

Service Principal Name Configuration

Service principal names (SPNs) are stored as a property of the associated account object in Active Directory Domain Services (AD DS). An SPN is used by Kerberos to uniquely identify an account that is requesting access to a resource.

Services for User to Self Configuration

Services for User to Self (S4USelf) provides the ability for a service to request a Kerberos ticket on behalf of a user account.

Core Security