Overview
Authentication Process
Chapter 1 29
• Client-indicates the user name, also referred to as the principal
name
• Server-indicates the Application Server
• Time stamp
• Nonce
Step 2. If the AS decrypts the message successfully, it authenticates the
requesting user and issues a TGT. The TGT contains the user name, a
session key for your use, and name of the server to be used for any
subsequent communication. The reply message is encrypted using your
secret key.
Step 3. The client decrypts the message using your secret key. The TGT and the
session key from the message are stored in the client’s credential cache.
These credentials are used to obtain tickets for each network service the
principal wants to access.
The Kerberos protocol exchange has the following important features:
• The authentication scheme does not require that the password be
sent across the network, either in encrypted form or in clear text.
• The client (or any other user) cannot view or modify the contents of
the TGT.
Step 4. To obtain access to a secured network service such as rlogin, rsh, rcp,
ftp, or telnet, the requesting client application uses the previously
obtained TGT in a dialogue with the TGS to obtain a service ticket. The
protocol is the same as used while obtaining the TGT, except that the
messages contain the name of the server and a copy of the previously
obtained TGT.
Step 5. The TGS returns a new service ticket that the application client can use
to authenticate the service.
Step 6. The application client tries to authenticate to the service on the
application server using the service ticket obtained from the TGS.
The secure application validates the service ticket using the service key
of the server that is present in the key tab file. Using the session key, the
server decrypts the authenticator and verifies the identity of the user. It
