4.1 Obtaining a Service Ticket

Obtaining a service ticket

Figure 2: Obtaining a service ticket

When a Kerberos client wants to use Kerberos-based authentication and cannot locate a DC for the realm, it uses ProxyMessage() (section 3.1.5.1) to invoke the KKDCP client.

  1. Because the Kerberos client does not have a ticket-granting ticket (TGT), it calls ProxyMessage with a KRB_AS_REQ.

  2. The KKDCP client establishes a TLS secure channel with the KKDCP server.

  3. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_AS_REQ to the KKDCP server.

  4. The KKDCP server finds the KDC and sends the KRB_AS_REQ to the KDC.

  5. The KDC returns a KRB_AS_REP to the KKDCP server.

  6. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_AS_REP to the KKDCP client.

  7. The KKDCP client returns the KRB_AS_REP and SUCCESS to the Kerberos client.

  8. The Kerberos client processes the KRB_AS_REP and calls ProxyMessage with a KRB_TGS_REQ.

  9. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_TGS_REQ to the KKDCP server.

  10. The KKDCP server finds the KDC and sends the KRB_TGS_REQ to the KDC.

  11. The KDC returns a KRB_TGS_REP to the KKDCP server.

  12. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_TGS_REP to the KKDCP client.

  13. The KKDCP client returns the KRB_TGS_REP and SUCCESS to the Kerberos client.

  14. The Kerberos client processes the KRB_TGS_REP and sends a KRB_AP_REQ to the Kerberos application server.

  15. The Kerberos application server processes the KRB_AP_REQ and sends a KRB_AP_REP to the Kerberos client.