MIT Kerberos Documentation

MIT Kerberos features

Quick facts

License MIT Kerberos License information  
Latest stable version
Supported versions
Release cycle 9–12 months  
Supported platforms / OS distributions
Windows (KfW 4.0)
  • Windows 7
  • Vista
  • XP
  • x86_64/x86
  • Debian x86_64/x86
  • Ubuntu x86_64/x86
  • RedHat x86_64/x86
  • NetBSD x86_64/x86
Crypto backends
  • builtin
  • OpenSSL 1.0+
  • NSS 3.12.9+
Database backends
  • LDAP
  • DB2
krb4 support < 1.8  
DES support configurable



Starting from version 1.7:

  • Follow client principal referrals in the client library when obtaining initial tickets.
  • KDC can issue realm referrals for service principals based on domain names.
  • Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
  • NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
  • KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
  • Support Microsoft set/change password (RFC 3244) protocol in kadmind.
  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Starting from version 1.8:

  • Microsoft Services for User (S4U) compatibility


  • Support for reading Heimdal database starting from version 1.8

Feature list

Available Additional information
Credentials delegation 1.7 RFC 5896
Cross-realm authentication and referrals 1.7
Master key migration 1.7
PKINIT 1.7 RFC 4556
Anonymous PKINIT 1.8 RFC 6112
Constrained delegation 1.8
Heimdal bridge plugin for KDC backend 1.8  
GSS-API S4U extensions 1.8
GSS-API naming extensions 1.8 RFC 6680
GSS-API extensions for storing delegated credentials 1.8 RFC 5588
Advance warning on password expiry 1.9  
Camellia encryption (CTS-CMAC mode) 1.9 RFC 6803
KDC support for SecurID preauthentication 1.9
kadmin over IPv6 1.9  
Trace logging 1.9
GSSAPI/KRB5 multi-realm support    
Plugin to test password quality 1.9
Plugin to synchronize password changes 1.9  
Parallel KDC 1.9  
GSS-API extentions for SASL GS2 bridge 1.9 RFC 5801 RFC 5587
Purging old keys 1.9  
Naming extensions for delegation chain 1.9  
Password expiration API 1.9  
Windows client support (build-only) 1.9  
Zero configuration    
IPv6 support in iprop    
Plugin interface for configuration 1.10
Credentials for multiple identities 1.10
Client support for FAST OTP 1.11 RFC 6560
GSS-API extensions for credential locations 1.11
Responder mechanism 1.11

Pre-auth mechanisms

PW-SALT   RFC 4120
FAST negotiation framework 1.8 RFC 6113
PKINIT with FAST on client 1.10 RFC 6113
S4U-X509-USER 1.8


modularity 1.9  
Yarrow PRNG < 1.10  
Fortuna PRNG 1.9
OS PRNG 1.10 OS’s native PRNG