Paul Silverman wrote: > When the TGS issues a ticket to a user to access an application which > accepts Kerberos as an authentication protocol, what is precisely the > process to ensure that the ticket is valid and therefore access can be > granted ? > > Does the Kerberized app forward the ticket to the authentification > service of the KDC in order to make sure that the ticket is indeed > valid ? Or does it check with its own local directory ? > > Thanks. > > Paul
The service ticket given to the client contains two parts: an outer envelope and an inner envelope. The outer envelope is encrypted in a key that only the client has. The inner envelope is encrypted in a key that only the application service has. Within both envelopes is a copy of a common key. When the client talks to the application service, the client hands the inner envelope to the application service. The service reads the contents and discovers the name of the client, validity timestamps, the shared session key and some other goodies. The client and service use the shared key to prove to each other that they are both in possession of the key. This signifies that each one shares a secret with the trusted third party, the KDC. The application service will then take the user's name and look it up in an authorization database to determine whether or not the user is allowed to use the service; and if so, what capabilities the client may use. Jeffrey Altman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
