You are here: FIDIS Interactive > FIDIS Database on IMS > 

FIDIS Interactive

More about this database.

Database on Identity Management Systems


“Kerberos (Version: 5-1.6.3)”:

Manufacturer of the IMS

  • MIT Massachusetts Institute of Technology
  • URL: (Visit Homepage)
  • Nature of provider / distributor: private
  • Nationality of the manufacturer: N/A

Type of the IMS / Class of the IMS

  • Type of the IMS: N/A
  • Class of the IMS: N/A

Supported languages

  • N/A

References for the IMS

Is the IMS an open/closed IMS?

State of IMS deployment

Distribution of the IMS

Geographic scope

Is the IMS an open/closed IMS?: Open

State of IMS deployment: Available

Distribution of the IMS: N/A

Geographic scope: Global

Hard and software requirements of the IMS

Almost any modern hardware/software

Installed base of the IMS (Userbase)

Widely used, distributed with various Microsoft and Apple products

Interoperability and supported standards

Kerberos employs a standardized protocol of the same name. There are several mostly interoperable implementations by MIT, Kungliga Tekniska Hoegskoln Stockholm, Microsoft and Apple.

The Kerberos standard is defined by the IETF. The current controlling documents are RFC 4120 and RFC 4537

Server-side component(s)

The main component is the Key Distribution Center (KDC) which authenticates the users and supplies them with so-called tickets. These in turn allow the use of other resources. The KDC shares secrets with every service and user in the installation.

Client-side component(s)

The client needs Kerberos-enabled clients for the services it wants to use with Kerberos.

Description of functionality / features (client and server)

Kerberos authentication perimeters are called Realms.

Inside a realm, the Kerberos setup consists of clients, application servers and the Ticket Granting Service (TGS). A user authenticates herself by password on her local machine (which must be known to the TGS and share a secret with it). After successful authentication the user can request tickets for services from the TGS. A ticket states that the user is authenticated and is allowed to use the service. Services on the application servers check if the user sent a valid ticket with her request, and allows access if valid. Tickets are valid only for pre-defined periods of time.

Newer versions of Kerberos allow cross-realm authentication. In this setup, the TGSs of the several realms have pairwise shared secrets and forward requests to remote services. The forwarded tickets are authenticated with the shared secrets.


There are many other standards that extend the functionality of Kerberos. For example some implementations currently support PKINIT so that public keys can be used for initial authentication instead of a username / password. (

Many organizations use Kerberos as a key component of their single sign-on (SSO) strategy.  

There are also products that use Kerberos for web authentication. Using http-spnego. Examples include: IE, IIS, Apache, Firefox, Safari, …


Main functionality

Authentication and Single Sign-On

Purchase costs in EUR

0 (Open Source)

Flow charts of the IMS

Click to enlarge

Screenshots of the IMS

Other file resources


Evaluator of the IMS

Martin Meints (ICPP)

General Comments (free text)

Back (This Record was last updated on: 17-04-2008 16:00)