1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Kerberos Question

Discussion in 'Network Infrastructure' started by surfthegecko, Jan 24, 2010.

Click here to banish ads and support Certforums by becoming a Premium Member
  1. surfthegecko

    surfthegecko Bit Poster


    Quick question for all your 70-291 fans out there. I am currently trying to get my head round Kerberos and wanted to check that I have the following points correct:

    Issuing A TGT (Ticket Granting Ticket)
    This acts as the Master Ticket, and is created so domain passwords do not need to be sent back and forth.

    -Computer and users logon
    -Client computer sends a hashed version of the password (sometimes including the local time) to the DC/KDC

    -DC decrypts with a local copy of the hash
    -DC then checks that the local time encrypted is no longer than 5 minutes later
    -DC then pre-authenticates the package, and then continues to authenticate the rest of the Kerberos transaction proceeds

    -DC then generates a PAC (Privilege Access Certificate) containing their access, sid, logon hours, access restrictions etc
    -This is then packaged into a TGT and passed back to the client to decrypt

    Issuing A ST (Session Ticket)
    This ticket is only valid for a limited time and for a particular purpose. This is issued off the back of the TGT.

    -Client computer sends its TGT to the TGS/KDC/DC and requests a Session/Service Ticket
    -TGS/KDC/DC then sends a Session/Service Ticket to the client
    -Client computer sends the ST to a Validating Server (eg File Server)
    -Validating Server authenticates the ST
    -Client/Server Session is then established

    Any guidance/confirmation/links etc on the above would be appreciated.

  2. Revolate

    Revolate Nibble Poster

    Yeah what he said ^ :biggrin

    http://en.wikipedia.org/wiki/Kerberos_(protocol)#Client_Authentication :rolleyes:
    Certifications: A+, N+, MCDST, NVQ3, ADITP.
    WIP: Server+ and a nice break?
  3. surfthegecko

    surfthegecko Bit Poster

    Thanks, makes more sense now.

Share This Page