Skip to content

Kerberos Authentication

Client                           Domain Controller   Application Server
                                       (DC)          (Resource Server)
  |                                      |                   |
  | ---------------------------------->  |                   |
  | Autentication Server Request         |                   |
  |                                      |                   |
  |                                      |                   |
  |                                      |                   |
  | <----------------------------------- |                   |
  | Autentication Server Reply           |                   |
  |                                      |                   |
  |                                      |                   |
  |                                      |                   |
  | ---------------------------------->  |                   |
  | Ticket Granting Service Request      |                   |
  |                                      |                   |
  |                                      |                   |
  |                                      |                   |
  | <----------------------------------- |                   |
  | Ticket Granting Server Reply         |                   |
  |                                      |                   |
  |                                   ---+---                |
  |                                                          |
  | ------------------------------------------------------>  |
  | Application Request                                      |
  | <------------------------------------------------------  |
  | Application Response                                     |
  |                                                          |
  |
  • Autentication Server Request
    • Preperation
      • Client will create hash from user and password
      • Client will encrypt timestamp with user hash
    • Payload: Encrypted timestamp
  • Autetication Server reply
    • Preperation
      • DC will create hash from user and password
      • DC will decrypt timestamp
    • Payload: Session Key(encrypted with user hash) + TGT
  • Ticket Granting Service Request
    • ...
  • Ticket Granting Server Reply
    • Payload:
      • SPN
      • Session Key
      • Service Ticket
  • Application Request / Response
    • Resource server will accept or reject request