Share via

4.2 Obtaining a Service Ticket with Password Change

Obtaining a service ticket with password change

Figure 3: Obtaining a service ticket with password change

When a Kerberos client wants to use Kerberos-based authentication and cannot locate a DC for the realm, it uses ProxyMessage() (section 3.1.5.1) to invoke the KKDCP client. If the logon requires the user to change the password prior to logon, applications can use KKDCP for Kerberos password change.

  1. Since the Kerberos client does not have a TGT, it calls ProxyMessage with a KRB_AS_REQ.

  2. The KKDCP client establishes a TLS secure channel with the KKDCP server.

  3. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_AS_REQ to the KKDCP server.

  4. The KKDCP server finds the KDC and sends the KRB_AS_REQ to the KDC.

  5. The KDC returns KRB_ERROR for password change required before logon to the KKDCP server.

  6. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_ERROR to the KKDCP client.

  7. The KKDCP client returns the KRB_ERROR and SUCCESS to the Kerberos client.

  8. The Kerberos client processes the KRB_ERROR and returns a password change required before logon error to the application. Since the application supports change password, it initiates a Kerberos change password. The Kerberos client calls ProxyMessage with a KRB_AS_REQ for kadmin/changepw.

  9. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_AS_REQ to the KKDCP server.

  10. The KKDCP server finds the KDC and sends the KRB_AS_REQ to the KDC.

  11. The KDC returns a KRB_AS_REP to the KKDCP server.

  12. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_AS_REP to the KKDCP client.

  13. The KKDCP client returns the KRB_AS_REP and SUCCESS to the Kerberos client.

  14. The Kerberos client processes the KRB_AS_REP and creates a Kerberos change password request (KRB_CHG_PWD_REQ) and calls ProxyMessage.

  15. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_CHG_PWD_REQ to the KKDCP server.

  16. The KKDCP server finds the KDC and sends the KRB_CHG_PWD_REQ to the KDC.

  17. The KDC returns a Kerberos change password request (KRB_CHG_PWD_REP) to the KKDCP server.

  18. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_CHG_PWD_REP to the KKDCP client.

  19. The KKDCP client returns the KRB_CHG_PWD_REP and SUCCESS to the Kerberos client.

  20. The Kerberos client processes the KRB_CHG_PWD_REP. The application initiates a logon with the new password. The Kerberos client calls ProxyMessage with a KRB_AS_REQ.

  21. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_AS_REQ to the KKDCP server.

  22. The KKDCP server finds the KDC and sends the KRB_AS_REQ to the KDC.

  23. The KDC returns a KRB_AS_REP to the KKDCP server.

  24. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_AS_REP to the KKDCP client.

  25. The KKDCP client returns the KRB_AS_REP and SUCCESS to the Kerberos client.

  26. The Kerberos client processes the KRB_AS_REP and calls ProxyMessage with a KRB_TGS_REQ.

  27. The KKDCP client sends a KDC_PROXY_MESSAGE containing the KRB_TGS_REQ to the KKDCP server.

  28. The KKDCP server finds the KDC and sends the KRB_TGS_REQ to the KDC.

  29. The KDC returns a KRB_TGS_REP to the KKDCP server.

  30. The KKDCP server sends a KDC_PROXY_MESSAGE containing the KRB_TGS_REP to the KKDCP client.

  31. The KKDCP client returns the KRB_TGS_REP and SUCCESS to the Kerberos client.

  32. The Kerberos client processes the KRB_TGS_REP and sends a KRB_AP_REQ to the Kerberos application server.

  33. The Kerberos application server processes the KRB_AP_REQ and sends a KRB_AP_REP to the Kerberos client.