There are many things worth learning about the IIS server. Here we mainly introduce the validators in the IIS server. I hope this will help you learn about IIS servers. This authentication method only sends the verification ticket sent by the client to the IIS server. When IIS receives this ticket, it can determine the identity of the client without transmitting the user password. The user that requires kerberos authentication must be a domain user.
If you access the IIS server for the first time, kinit on the workstation will check that there is no verification ticket to access the IIS server on the local machine. kinit will send a request to the verification server to request a verification ticket to access the IIS service. Kinit must first generate a validators. The validators are like this: {User name: workstation address} encrypted with the Session key between the verification server.
Kinit verifies that the authorization ticket is valid by verifying the validators, ticket authorization tickets, your name, your workstation address, and the verification server sent by the IIS service name, then, use the Session key you shared with you to unbind the validators and obtain the username and address, which are compared with the user and address that sent the request. If they are consistent, the verification is passed and the request is valid.
The server authenticates the Session key password between the user and the IIS server, and then generates a verification ticket for the IIS server according to the user request. It looks like this: {Session password: User Name: user Machine address: Service name: Validity Period: Timestamp}. This verification ticket is encrypted to form the final verification ticket.
Finally, the verification server {session password + encrypted verification ticket} is encrypted with the user password and then sent to the user.
The workstation receives the data packet returned by the Verification server and decrypts it with its own password to obtain the Session key with the IIS server and the verification ticket with the IIS server.
Wks kinit also needs to generate a validator, which is like this: {User name: workstation address} is encrypted with the Session key between the IIS server. Send the validators and IIS verification tickets together to the IIS server.
The IIS server uses its own server password to unbind the IIS verification ticket. If the decryption is successful, the verification ticket is valid and valid. Then, check whether the verification ticket is within the validity period, use the session password in the verification ticket to decrypt the validator and obtain the username and workstation address, if it matches the user name and address in the verification ticket, it means that the user who sent the verification ticket is the owner of the verification ticket, thus verifying the validity of this request.