Kerberos authentication process

Source: Internet
Author: User

I solemnly stated before the opening: This article is based on the Kerberos Authentication introduced by Artech to talk about my personal understanding of the Kerberos authentication process and message interaction. For more information, click here. If you have any questions, please kindly advise.

First, we will introduce several concepts in Kerberos:


  1. AD: Active Directory
  2. Service Session Key: Service Session Key
  3. Logon Session Key: Logon Session Key
  4. KDC: Key Distribution Center
  5. KAS: Key Kerberos Authentication Service. It is a service of KDC.
  6. TGS: Ticket Granting Service; it is a Service of KDC.
  7. Service Ticket: Service Ticket, obtained through TGS, mainly including user information and Service Session Key
  8. TGT: Ticket Granting Ticket. Obtained Through KAS, mainly including user information and Logon Session Key
  9. Authenticator: Used to Authenticator information that is pre-known to both parties.


1. Overall structure of KDC



2. Kerberos authentication process:


Process description:


  1. The client obtains TGT (Ticket Granting Ticket) through the KAS (Kerberos Authentication Service) Service of the Key Distribution Center ).
  2. Get the ST (Service Ticket) through TGT)
  3. Use Service Ticket to access Service resources.



3. Message interaction between Client and Server

1. The client sends a message to KDC's KAS Service 1 to obtain the TGT.

The message interaction is as follows:


Note: the client sends its own plaintext user name and the Authenticator encrypted by the key derived from its own password to the KAS service.

After receiving the message sent from the client, KAS follows:

2. KAS sends information to the Client

Message interaction in this process is as follows:


After receiving the KAS reply, the client performs the following steps:

3. The client sends a message to the TGS (Ticket Granting Service) Service of KDC (Key Distribution Center) to get the ST (Service Ticket)

Message interaction in this process is as follows:


In this process, TGS (Ticket Granting Service) processes the received message as follows:


4. The TGS service returns a message to the client.

Message interaction in this process is as follows:


After the client receives a TGS reply, it will process it as follows:


5. The client accesses server resources through ST

Message interaction in this process is as follows:


After receiving a message from the client, the server processes the message as follows:


6. client-side Server Authentication

Message interaction in this process is as follows:


The process for the client to authenticate the server is as follows:



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.