Kerberos ticket exchange sequence.
Kerberized services request procedure:
1. A client sends the user principal (kerberos account) name to the KDC.
2. The KDC (AS) responds with a pre-authentication request.
3. The client sends the Authenticator: the client's principal and the time stamp, encrypted with the user's key (password hash).
4. The KDC (AS) sends:
the Ticket Granting Ticket (TGT), encrypted with the TGS key
and a client/TGS session key, encrypted with the user's key.
The client decrypts the
session key and caches the TGT.
The TGT includes the TGS copy of the
client/TGS session key, client principal, ticket lifetime, KDC timestamp, client IP address.
5. The client sends to KDC (TGS):
Authenticator: client principal and the time stamp, encrypted with with
the client/TGS session key
desired service principal name.
6. KDC (TGS) validates the TGT and the Authenticator, then sends the following to the client:
Service ticket, encrypted with the Server key. The Service ticket includes client/Server session key, client principal, ticket lifetime, KDC timestamp, client IP address.
client/Server session key, encrypted with the client/TGS session key.
7. The client sends the following to the application server:
the Service ticket
Authenticator (the client principal and time stamp encrypted with the client/Server session key).
8. The application server decrypts the Service ticket with its key stored in the
keytab, /etc/krb5.keytab, validates the authenticator and
sends a confirmation (client time stamp + 1), encrypted with the client/Server session key.
9. The client decrypts the confirmation by the client/Server session key and
checks whether the timestamp is correctly updated. If so, the client starts
issuing service requests.