Key Distribution Center

Overview

The Key Distribution Center (KDC) is implemented as a domain service.

KDC uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains. The encryption key used in communicating with a user, computer, or service is stored as an attribute of the account object of that security principal.

Both Active Directory and KDC run as part of the LSA's process on a domain controller.

The KDC is a single process that provides two services: Authentication and Ticket-Granting service.

Key Distribution Center - Win32 appsMicrosoftLearn

Authentication Service (AS)

This service issues ticket-granting tickets (TGTs).

Ticket-Granting Service (TGS)

When clients want access to a computer, they contact the ticket-granting service in the target computer's domain, present a TGT, and ask for a ticket to the computer.

LSA

Both Active Directory and KDC services are started automatically by the domain controller's Local Security Authority (LSA) and run as part of the LSA's process.

Account krbtgt

The security principal name used by the KDC in any domain.

Created automatically when a new domain is created.

Password

A random password value is assigned to the account automatically by the system during the creation of the domain.

The password for the KDC's account is used to derive a cryptographic key for encrypting and decrypting the TGTs that it issues.

Refer to .

KDC Related Attacks

• Golden Ticket Attack