- Every user and service that participates in the Kerberos authentication protocol requires a principal to uniquely identify itself.
- there are user principals and service principals
- eg:- alice@EXAMPLE.COM
- an authentication administrative domain
Key distribution center (KDC):
- The KDC () is comprised of three components:
- the Kerberos database, the authentication service (AS),
- and the ticket-granting service (TGS).
- eg:- kdc.example.com – The KDC for the Kerberos realm EXAMPLE.COM
Aim: User needs to access the Service identified by myservice/server1.example.com@EXAMPLE.COM
- User initiates a request to the AS at kdc.example.com, (identifying himself as the principal xyz@EXAMPLE.COM)
- AS responds by providing a TGT that is encrypted using the key (password) for the principal
- User is now prompted to enter the correct password for the principal in order to decrypt the message
- User now uses TGT and requests a service ticket from the TGS at kdc.example.com
- TGS validates the TGT and provides user a service ticket, encrypted with the myservice/server1.example.com@EXAMPLE.COM principal’s key
- User now presents the service ticket to myservice, which can then decrypt it using the myservice/server1.example.com@EXAMPLE.COM key and validate the ticket.