Newbie question about Kerberos

Jeffrey Altman jaltman2 at
Wed Feb 9 21:14:51 EST 2005

Paul Silverman wrote:

> When the TGS issues a ticket to a user to access an application which
> accepts Kerberos as an authentication protocol, what is precisely the
> process to ensure that the ticket is valid and therefore access can be
> granted ?
> Does the Kerberized app forward the ticket to the authentification
> service of the KDC in order to make sure that the ticket is indeed
> valid ?  Or does it check with its own local directory ?
> Thanks.
> Paul

The service ticket given to the client contains two parts: an outer
envelope and an inner envelope.  The outer envelope is encrypted in
a key that only the client has.  The inner envelope is encrypted in
a key that only the application service has.  Within both envelopes
is a copy of a common key.

When the client talks to the application service, the client hands
the inner envelope to the application service.  The service reads the
contents and discovers the name of the client, validity timestamps,
the shared session key and some other goodies.  The client and service
use the shared key to prove to each other that they are both in
possession of the key.  This signifies that each one shares a secret
with the trusted third party, the KDC.

The application service will then take the user's name and look it
up in an authorization database to determine whether or not the
user is allowed to use the service; and if so, what capabilities
the client may use.

Jeffrey Altman

More information about the Kerberos mailing list