Let me try to explain Kerberos today.
Kerberos is based on Needham–Schroeder protocol. Kerberos is designed to protect from password sniffing attacks, MITM etc. All the user credentials is stored in a Centralised location. The disadvantage is that, this also leads to single point of failure.
In the case of Kerberos, the user sends the Principal identity and credentials to the KDC (Authentication Server – Can be an Active Directory DC). An example of Principal would be “sau@XAMPLE.COM”, which represents a user named ‘sau’ that belongs to a realm named XAMPLE.COM.
The KDC (Authentication Server) checks for the principal and creates TGT and wraps it with principal’s user key. TGT is decrypted by the user and stored in credentials cache.
The user sends the TGT to the ticket-granting server (TGS). After verifying the TGT is valid, the TGS issues a ticket to access the application.