Skip to main content

CompTIA A+

Kerberos and MFA

11 min read

A weak sign-in setup can turn a normal day into an incident response day. That risk shows up everywhere, in a school lab, a small business office, or a home lab with a domain controller. For CompTIA A+ Core 2 (220-1202), Domain 2.0 (Security), Objective 2.3, you're expected to understand Kerberos and multifactor authentication well enough to explain them and recognize common failures.

Kerberos is an authentication system that uses time-limited tickets so users don't resend their password to each service. Multifactor authentication (MFA) is a sign-in method that requires two or more different factor types, not just two passwords.

By the end, you'll be able to explain the Kerberos ticket flow, spot the issues that break it most often, and choose practical MFA factors you'll actually support on the job.

Kerberos in plain English, what it does and where you will see it

Kerberos shows up most often in Windows domain networks that use Active Directory. Its job is simple: prove who you are, then let you access many services without typing your password over and over. People often call this single sign-on, but the key idea is safer sign-on across the network.

A good way to picture Kerberos is a venue wristband. You prove you paid once at the entrance, then you show the wristband at different stations. You don't keep handing over your credit card at every booth. In the same way, Kerberos helps avoid sending your password across the network each time you open a resource.

Here's a story that matches what happens at work. An employee logs into a domain-joined laptop in the morning. Later, they open a file share on a server, check email, and use an internal web app. Kerberos helps the laptop prove the user's identity to each service using tickets, not repeated password prompts. That reduces exposure to password capture on the wire, and it improves the user experience.

Kerberos also supports strong controls that admins care about, like short ticket lifetimes and centralized policy on domain controllers. Still, it's not magic. It depends on correct time, correct DNS, and correct service identity settings. When those basics break, Kerberos fails in ways that can look confusing at first.

Kerberos often fails for ordinary reasons, time drift, DNS misrouting, or a service identity mismatch, not because the encryption "got hacked."

The three main parts, client, KDC, and the service you want to use

Kerberos has three main actors:

  • Client: the user's device (for example, a Windows PC) that requests access.
  • Key Distribution Center (KDC): the trusted Kerberos service, usually on a domain controller.
  • Service server: the resource you want, such as a file server, print server, email server, or web app.

Inside the KDC, you'll hear two labels. The Authentication Service (AS) handles the first sign-in request. The Ticket Granting Service (TGS) handles later requests for access to specific services. In practice, they run as parts of the KDC on the domain controller.

A ticket is a signed, encrypted proof that says, "this user already authenticated, and this ticket is valid until time X." Because the ticket is encrypted, other systems can trust it without learning the user's password. The service server reads the ticket, checks it, and then decides whether to allow access.

How the ticket flow works, from logon to accessing a shared resource

First, the user logs in to the domain from their PC. The client sends an AS-REQ to the KDC. The KDC replies with an AS-REP that includes a Ticket Granting Ticket (TGT). Think of the TGT as the wristband that proves you already passed the entrance check.

Next, the user tries to open a shared folder on a file server. The client doesn't send the password. Instead, it sends a TGS-REQ to the KDC, asking for a ticket for that file service. The KDC returns a TGS-REP that contains a service ticket.

Finally, the client presents that service ticket to the file server. If the ticket checks out, the server grants access based on the user's permissions.

Time matters throughout this flow. Tickets contain timestamps and expiration times, so the client and domain controller need closely matched clocks. Kerberos also relies on shared secret keys tied to accounts (user accounts and service accounts). You don't need the math for A+, but you should remember the purpose: encryption helps prove identity without repeating the password to every server.

What breaks Kerberos most often, and how to troubleshoot fast

Kerberos problems often feel random because the user can sign in to one thing but not another. A junior tech gets pulled in after the user says, "My password works, but the file share won't open," or, "I can't log in today, and nothing changed." The fastest troubleshooting approach is to check the basics that Kerberos depends on: time, DNS, and domain relationships.

Start by confirming what the user can and can't do. Can they log in to Windows? Can they reach the internet? Do only domain resources fail?

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account