Talk With an Expert

Kerberos Token Size and DoS

Kerberos Token Size and DoS (PDF, 2.55MB)Published: 25 Jul, 2011
Created by
Joshua Sprenger

Kerberos has been the default authentication protocol for Windows since XP/2000.Although the protocol enjoys many benefits over its predecessors, it does have some weaknesses. One unintended weakness of Kerberos is the ability of the Kerberos token size to grow to the point where Denial of Service (DoS) issues arise. This is especially prevalent in large enterprises where during the 10 years that Kerberos has been the primary Windows protocol, some users have found their accounts to be members of several hundred groups. The result of this scenario includes inability to use important company resources such as Exchange Servers and the ability to authenticate to web sites. Additionally, this weakness can be used maliciously to cause widespread DoS throughout an enterprise.