logo_kerberos.gif

User:TomYu/KDC processing

From K5Wiki
Jump to: navigation, search
  • Client referrals?
  • Authenticate request content -- sometimes authenticates the client principal too
    • PKINIT (AS, also authenticates client)
    • PA-TGS-REQ (TGS, also authenticates client)
    • FAST (AS or TGS)
  • Authenticate client -- sometimes authenticates the request content too
    • PA-ENC-TS (weak; AS)
    • PKINIT (AS, also authenticates request content)
    • SAM2 (AS)
    • PA-ENCRYPTED-CHALLENGE (AS)
    • PA-TGS-REQ (TGS, also authenticates request content)
    • S4U2Self (TGS)
    • S4U2Proxy (TGS)
  • Determine service principal
    • Hostname alias
    • Cross-realm service principal referral
    • Cross-realm TGS referral
    • User-to-user (from second ticket)
  • Validate protocol constraints
  • Validate policies
  • Issue ticket
  • Encrypt reply
    • FAST (AS or TGS)
    • Long-term key (AS)
    • Session key (TGS)