Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Kerberos Ticket.

Similar presentations


Presentation on theme: "Kerberos Kerberos Ticket."— Presentation transcript:

1 Kerberos Kerberos Ticket

2 Login with Kerberos The first time a user requests a Kerberos ticket is when that user logs in to some account in a Windows 2003 domain. From the point of view of the user, the process is simple: type a login name, a domain name, and a password into some client machine, then wait for the login to succeed or fail. What's actually going on is not quite so simple. The user's login request causes the client system to send a message to a KDC running on a domain controller. The message contains several things, including the user's name; preauthentication data, which consists of a timestamp encrypted using KC, a hash of the user's password, as a key; and a request for a ticket-granting ticket (TGT).

3 Logging In KDC: Key DIstribution Center (Domain Controller CA (certificate authority) ) KX: The secret key (that is, the hashed password) of X, where X is a client ( C ) user, a server ( S ) application, or the KDC ( K ). ·{anything}KX: Anything encrypted with X's secret key. ·{T}KS: A ticket encrypted with server S's secret key. In other words, this is a ticket for server S (the notation is a bit imprecise, since the entire ticket isn't encrypted). ·KX,Y: A session key used between X and Y. ·{anything}KX,Y: Anything encrypted with the session key used between X and Y. TGT: Ticket Granting Ticket X S

4 Authenticating to a Remote Service
When the client application makes its first remote request to the server, a ticket request is automatically made to the KDC, as shown in Figure 4. When the KDC receives this request, it decrypts the TGT (recall that only the KDC knows KK, (the key used to encrypt this ticket), then extracts the session key KC,K from the ticket. It then uses this session key to decrypt the authenticator. . The authenticator serves two purposes. First, because it is encrypted using the client/Kerberos session key, it proves that the user is who she claims to be, since as described earlier, the only way to get this session key is to type the correct password at login. If the KDC's attempted decryption of the authenticator is successful, the client system must be in possession of the session key Figure 4 Getting and Using a Service Ticket

5 Inter Domain Authenticating
Fjgure 6 Authenticating Across Domains

6


Download ppt "Kerberos Kerberos Ticket."

Similar presentations


Ads by Google