Authentication Process

The Kerberos server grants tickets to your user principal to access secured network services. You must authenticate the server by providing your user name and password. When the server authenticates you, it returns a set of initial credentials for you, including a TGT and a session key.

The Kerberos server grants a service ticket for a specific service principal that can be associated with one or more Kerberos-secured services. A client application uses your service ticket to authenticate you to a Kerberos-secured network service. The secured client application automatically handles the transactions with the Kerberos Server and the secured application server. Service tickets and associated session keys are generally cached in your user credentials cache along with the TGT of the user.

Figure 1-1 “Authentication Process” illustrates the actions of the components and the Kerberos protocol in a secured environment.

Figure 1-1 Authentication Process

The following is a description of how a client and server authenticate each other using Kerberos:

Send a request for a ticket to the TGS that you want to access. You can choose to request specific ticket flags and specify the key type to be used to construct the secret key. You can also accept the default values configured for the client.
Send the following information to the Authentication Service (AS) to obtain credentials:
- Client-indicates the user name, also referred to as the principal name
- Server-indicates the TGS
- Time stamp
- Nonce
If the AS decrypts the message successfully, it authenticates the requesting user and issues a TGT. The TGT contains the user name, a session key for your use, and name of the server to be used for any subsequent communication. The reply message is encrypted using your secret key.
The client decrypts the message using your secret key. The TGT and the session key from the message are stored in the client’s credential cache. These credentials are used to obtain tickets for each network service the principal wants to access.
The Kerberos protocol exchange has the following important features:
- The authentication scheme does not require that the password be sent across the network, either in encrypted form or in clear text.
- The client (or any other user) cannot view or modify the contents of the TGT.
To obtain access to a secured network service such as rlogin, rsh, rcp, ftp, or telnet, the requesting client application uses the previously obtained TGT in a dialogue with the TGS to obtain a service ticket. The protocol is the same as used while obtaining the TGT, except that the messages contain the name of the server and a copy of the previously obtained TGT.
The TGS returns a new service ticket that the application client can use to authenticate the service.
The application client tried to authenticate to the service using the service key of the server that is present in the keytab file. Using the session key, the server decrypts the authenticator and verifies the identity of the user. It also verifies that the user’s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client.
(Optional) At the client’s request, the application server can also return the timestamp sent by the client, encrypted in the session key. This ensures a mutual authentication between the client and the server.

Authentication Process

Technical documentation

» Table of Contents

» Glossary

» Index