Kerberos provides SSO authentication in Windows AD. Key components: KDC (Key Distribution Center), TGT (Ticket-Granting Ticket), TGS (Ticket-Granting Service). No passwords sent over network.
Kerberos flow: authenticate to KDC → receive TGT → use TGT to request service tickets (TGS) → present service ticket to target service. Attacks: Golden/Silver tickets, Kerberoasting, AS-REP Roasting, Pass-the-Ticket. KRBTGT is the most sensitive AD account.