I solemnly stated before the opening: This article is based on the Kerberos Authentication introduced by Artech to talk about my personal understanding of the Kerberos authentication process and message interaction. For more information, click here. If you have any questions, please kindly advise.
First, we will introduce several concepts in Kerberos:
Concepts:
- AD: Active Directory
- Service Session Key: Service Session Key
- Logon Session Key: Logon Session Key
- KDC: Key Distribution Center
- KAS: Key Kerberos Authentication Service. It is a service of KDC.
- TGS: Ticket Granting Service; it is a Service of KDC.
- Service Ticket: Service Ticket, obtained through TGS, mainly including user information and Service Session Key
- TGT: Ticket Granting Ticket. Obtained Through KAS, mainly including user information and Logon Session Key
- Authenticator: Used to Authenticator information that is pre-known to both parties.
1. Overall structure of KDC
2. Kerberos authentication process:
Process description:
- The client obtains TGT (Ticket Granting Ticket) through the KAS (Kerberos Authentication Service) Service of the Key Distribution Center ).
- Get the ST (Service Ticket) through TGT)
- Use Service Ticket to access Service resources.
3. Message interaction between Client and Server
1. The client sends a message to KDC's KAS Service 1 to obtain the TGT.
The message interaction is as follows:
Note: the client sends its own plaintext user name and the Authenticator encrypted by the key derived from its own password to the KAS service.
After receiving the message sent from the client, KAS follows:
2. KAS sends information to the Client
Message interaction in this process is as follows:
After receiving the KAS reply, the client performs the following steps:
3. The client sends a message to the TGS (Ticket Granting Service) Service of KDC (Key Distribution Center) to get the ST (Service Ticket)
Message interaction in this process is as follows:
In this process, TGS (Ticket Granting Service) processes the received message as follows:
4. The TGS service returns a message to the client.
Message interaction in this process is as follows:
After the client receives a TGS reply, it will process it as follows:
5. The client accesses server resources through ST
Message interaction in this process is as follows:
After receiving a message from the client, the server processes the message as follows:
6. client-side Server Authentication
Message interaction in this process is as follows:
The process for the client to authenticate the server is as follows: