On Wed, 9 Feb 2005 at 08:41 (-0800), Paul Silverman wrote: > When the TGS issues a ticket to a user to access an application which > accepts Kerberos as an authentication protocol, what is precisely the > process to ensure that the ticket is valid and therefore access can be > granted ? > > Does the Kerberized app forward the ticket to the authentification > service of the KDC in order to make sure that the ticket is indeed valid > ? Or does it check with its own local directory ?
Paul, The ticket presented to the application contains information encrypted (by the KDC) in the application's secret key, which should be known only by the KDC and the application. If the application can decrypt and read this information, it knows that the ticket must have been issued by the KDC. Even the client who is presenting the ticket can't decrypt that portion of the ticket; it just passes it along to the application. Thus, there is no need for the application to have online access to the KDC when it is validating a ticket. But I should point out that this doesn't mean the user (client) should be given access to the application. Kerberos just authenticates the user - i.e., vouches for the association between the client that is connecting to the application and the identifier (principal name) it's using to authenticate. Once it knows which identifier it is dealing with, the application must consult its own information (perhaps in a Directory) to determine the level of access it should grant to the corresponding user. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
