Kerberos SSP/AP

The Kerberos authentication package is used when logging on to a network; local logons are handled by MSV1_0.

When a user logs on using a network account, by default, Kerberos attempts to connect to the Kerberos Key Distribution Center (KDC) on the domain controller and obtain a ticket granting ticket (TGT) by using the logon data supplied by the user.

If a Kerberos KDC is not available, Windows uses MSV1_0 and pass-through authentication as described in MSV1_0 Authentication Package.

The Kerberos authentication package supports version 5, revision 6 of the Kerberos protocol. This protocol is based on Internet RFC 4120. For more information, see the IETF website:

For more information about Kerberos, see Microsoft Kerberos.

Kerberos Credential Formats

The user credentials assigned by the Kerberos authentication package after a successful logon attempt are a ticket and a temporary encryption key, often called a session key. The ticket contains both an encrypted copy of the client's credentials and the session key.