Hi everyone ! Last week I had some technical discussion with an experimented guy. He told me that a "kerberized" service needs to contact the KDC to confirm the validity of a client authenticator. And that the keytab contains some credentials needed to contact this KDC.
Since it's an important guy that do a great job, I don't want to openly contradict him. Thus I need to confirm the right Kerberos mechanisms before telling him that he's not completly right about the Kerberos protocol. I let appart the TGT part of the Kerberos protocol which is out of scope for my question. My theory is that when a client wants to authenticate with a service, it gets a ticket from the KDC dedicated to that service. Then the client generates an authenticator embedding the retrieved ticket, and adds its identity and a timestamp, encrypted with the session key given along the service ticket by the KDC. Since the service ticket contains the session key encrypted with the service key, and the service knows its key via the keytab file, the service is able to decrypt the ticket, get the session key, decrypt the remaining part of the authenticator, and compare the identity encrypted with the session key with the identity embedded in the ticket service, enabling it to authenticate the client. All of this without the service contacting the KDC. That is the most important point. Am I right ? Thanks ! -- Emmanuel Coirier
