Kerboros explain

Paul Moore paul.moore at
Mon Aug 4 12:31:54 EDT 2008

Note that you *can* get a service ticket when you authenticate. In fact
this is required by some highly secure service such as kpasswd. But this
is exceptional 

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Ken Raeburn
Sent: Monday, August 04, 2008 9:20 AM
To: kisito
Cc: kerberos at MIT.EDU
Subject: Re: Kerboros explain

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication Server ,

> when delivering the TGT, does not directly issued the service ticket? 
> (so I do not see why have complicated the protocol by introducing the 
> TGS)

If you're going to contact a dozen services during your login session,
the TGT will let you get service tickets for them without asking for
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them
all at once and prompt for the password only once, but that only works
if you know what all of them are when you log in; for a realm with
possibly thousands of servers, you can't practically get Kerberos style
credentials (dependent on shared secrets between the KDC and each
individual service, hence needing different credentials for each
service) for all of them at login time just in case you might want to
talk to them later.  It also doesn't help in the cross-realm
authentication case, where you need credentials to send to some other
site's KDC, so it can issue you credentials to talk to one or more
services at that site; this is also done with a kind of TGT issued by
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get
additional tickets as you need them during your session, without having
to decide up front.

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list