4.1 Obtaining a Service Ticket
Figure 2: Obtaining a service ticket
When a Kerberos client wants to use Kerberos-based authentication and cannot locate a DC for the realm, it uses ProxyMessage() (section 3.1.5.1) to invoke the KKDCP client.
Because the Kerberos client does not have a ticket-granting ticket (TGT), it calls ProxyMessage with a KRB_AS_REQ.
The KKDCP client establishes a TLS secure channel with the KKDCP server.
The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_AS_REQ to the KKDCP server.
The KKDCP server finds the KDC and sends the KRB_AS_REQ to the KDC.
The KDC returns a KRB_AS_REP to the KKDCP server.
The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_AS_REP to the KKDCP client.
The KKDCP client returns the KRB_AS_REP and SUCCESS to the Kerberos client.
The Kerberos client processes the KRB_AS_REP and calls ProxyMessage with a KRB_TGS_REQ.
The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_TGS_REQ to the KKDCP server.
The KKDCP server finds the KDC and sends the KRB_TGS_REQ to the KDC.
The KDC returns a KRB_TGS_REP to the KKDCP server.
The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_TGS_REP to the KKDCP client.
The KKDCP client returns the KRB_TGS_REP and SUCCESS to the Kerberos client.
The Kerberos client processes the KRB_TGS_REP and sends a KRB_AP_REQ to the Kerberos application server.
The Kerberos application server processes the KRB_AP_REQ and sends a KRB_AP_REP to the Kerberos client.