It depends on the algorithm. The Kerberos specification states that the encryption and decryption functions must handle integrity checking, but the algorithm specified must define this behavior.
The only reasonably secure Kerberos algorithm types that Windows supports are aes128-cts-hmac-sha1-96
and aes256-cts-hmac-sha1-96
. Neither of these are great choices since they use SHA-1, but HMAC-SHA-1 is still secure in this context, although SHA-1 on the whole should still be avoided. In these algorithms, it's encrypt-and-MAC: the plaintext is prepended with a random string, the MAC and encryption are both done over that preprended plaintext, and the MAC is appended.
For systems using the more modern aes128-cts-hmac-sha256-128
and aes256-cts-hmac-sha384-192
, they are encrypt-then-MAC: the MAC is computed over the ciphertext. Windows doesn't support that, however, although most Unix systems do.
Windows also supports a variety of older, insecure algorithms for Kerberos, none of which should be used. Those algorithms use single DES in CBC mode with a CRC (!) or HMAC-MD5, and RC4 with HMAC-MD5. Even though HMAC-MD5 is considered to be secure when used as a MAC, responsible parties don't use MD5 at all, and RC4 has weaknesses that are practically attackable in many protocols. Single DES is crackable commercially for $20, so it's totally insecure. If you're interested in their encryption anyway, I refer you to the relevant RFCs.