Key Distribution Center
Last updated
Last updated
The Key Distribution Center (KDC) is implemented as a domain service.
KDC uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains. The encryption key used in communicating with a user, computer, or service is stored as an attribute of the account object of that security principal.
Both Active Directory and KDC run as part of the LSA's process on a domain controller.
The KDC is a single process that provides two services: Authentication and Ticket-Granting service.
This service issues ticket-granting tickets (TGTs).
When clients want access to a computer, they contact the ticket-granting service in the target computer's domain, present a TGT, and ask for a ticket to the computer.
Both Active Directory and KDC services are started automatically by the domain controller's Local Security Authority (LSA) and run as part of the LSA's process.
krbtgt
The security principal name used by the KDC in any domain.
Created automatically when a new domain is created.
A random password value is assigned to the account automatically by the system during the creation of the domain.
The password for the KDC's account is used to derive a cryptographic key for encrypting and decrypting the TGTs that it issues.
Refer to .