Kerberos Authentication: Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using symmetric key cryptography. When a user signs onto the local OS, a local agent (process) sends an authentication request to the Kerberos server. The server responds by sending the encrypted credentials for the user attempting to sign onto the system. The Local agent then tries to decrypt the credentials using the user-supplied password. If the correct password has been supplied, the user is validated and given authentication tickets, which allow the user to access other Kerberos-authenticated services. In addition to the tickets, the user is also given a set of cipher keys that can be used to encrypt all data sessions.
1. Realm: It’s the Organizational boundaries; each realm has an authentication server (AS) & a Ticket Granting Server (TGS). Together the AS and TGS form a key distribution centre (KDC). All services and users in the realm receive tickets from the TGS and are authenticated with the AS.
2. Authentication Server: The AS registers all valid users/services. It provides clients with a ticket granting ticket to the (TGS).
3. Tickets Granting Server: To Minimize the work load of the AS in a Kerberos realm, the TGS grants the session tickets used by client’s to start a session with a service. The clients must use the TGT issued by the AS to request a session ticket from a TGS.
4. Cross-realm authentication: Cross-realm authentication is the capability of users in one realm to be authenticated and access services in another realm. This is accomplished by the user’s realm registering a remote ticket-granting server (RTGS) on the realm of the service. Rather than having each realm authenticate with each other, cross-realm authentication can be configured in a hierarchical fashion.
5. Remote ticket Granting server: The TGS in a user’s realm registers with the remote TGS in order to enable the users access services in remote realms.
6. Ticket: A ticket is a block of data that allows users to prove their identity to a service. Tickets are stored on the local system in a ticket cache and each ticket has a time limit of ten hours time stamp by limiting the time of a ticket minimizes the chances of attackers obtaining a ticket and being able to use it for unauthorized access.
7. Ticket cache: A portion of memory, which stores all of a user’s Kerberos tickets its separate from apps so that several apps can use the same ticket.
8. Ticket-Granting Ticket: A TGT is a ticket that is granted to a valid user by the AS in order to obtain tickets from the TGS, its stored in the ticket cache.
9. Authenticators: A series of bits, a symbol, or a group of symbols that are inserted into a transmission of message in a predetermined manner and are then used for validation. Authenticators are typically valid for 5 minutes.
10. Principal: A Principal is any unique entity to which Kerberos can assign tickets.
Authentication
1. User Logs-on, sends a registration request to AS.
2. AS authenticates user, and provides him with a TGT.
Ticket Granting Server
1. User with TGT requests a ticket from TGS.
2. User Accesses the service using the ticket.
RTGS
1. Client requests a TGT from a remote realm through his TGS and is sent.
2. Using that RTGT the user can contact the RTGS and request a ticket to access the remote service.