# Kerberos in Enterprise SSO One-sentence definition: Ticket-based mutual authentication with a KDC (AS/TGS) enabling single sign-on in domains. ## Key Facts - TGT issued after initial auth; service tickets for each resource. - Relies on **time sync**; mitigates replay via timestamps. - SPNs and constrained delegation limit abuse; use strong crypto. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick Kerberos for internal SSO; check NTP when errors appear. **Mnemonic:** “**Tickets** to everything.” ## Mini Scenario Q: Users fail SSO after time change—what broke? A: Clock skew; fix NTP. ## Revision Checklist - TGT vs service ticket. - Delegation concept. - Time dependency. ## Related [[Single Sign-On (SSO) Patterns]] · [[Directory Services (LDAP and Active Directory)]] · [[Time Synchronization and NTP Security]] · [[Authentication Factors and MFA]] · [[Session Management (Timeouts Fixation Hijacking)]] · [[Domain 5 - Index]]