Kerboros explain

Ken Raeburn raeburn at MIT.EDU
Mon Aug 4 12:19:31 EDT 2008

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication  
> Server , when
> delivering the TGT, does not directly issued the service ticket? (so  
> I do
> not see why have complicated the protocol by introducing the TGS)

If you're going to contact a dozen services during your login session,  
the TGT will let you get service tickets for them without asking for  
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them  
all at once and prompt for the password only once, but that only works  
if you know what all of them are when you log in; for a realm with  
possibly thousands of servers, you can't practically get Kerberos  
style credentials (dependent on shared secrets between the KDC and  
each individual service, hence needing different credentials for each  
service) for all of them at login time just in case you might want to  
talk to them later.  It also doesn't help in the cross-realm  
authentication case, where you need credentials to send to some other  
site's KDC, so it can issue you credentials to talk to one or more  
services at that site; this is also done with a kind of TGT issued by  
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get  
additional tickets as you need them during your session, without  
having to decide up front.


More information about the Kerberos mailing list