Bec d'état - Rebecca Scott

Blog | Links | Archive
About | Resume | Advisor profile | Projects | Contact

~/Notes on Kerberos and Active Directory

02 Nov 2015

These are just some notes I made while reading about Kerberos and Active Directory. They aren’t very technical or well-edited and probably have plenty of errors. Read at your peril!


Kerberos Data Flow

Authentication and SSO service access

Stage 1 - Initial sign-on

  1. Client sends user ID (in plain text) to authentication server (AS)
  2. AS finds the user in the database (Active Directory) and sends:
    • TGS Session Key - encrypted with user’s password (from AD)
    • Ticket Granting Ticket (TGT) - encrypted with the AS’s private key
  3. Client decrypts Session Key using the password the user entered
    • If it can’t decrypt the Session Key then it can’t be used and authentication has failed

Now the client has enough information to access the Ticket Granting Server.

Stage 2 - Getting Client/Server ticket, so the client can access a Service Server (SS)

  1. Client sends to Ticket Granting Server (TGS):
    • TGT and ID of requested service
    • Authenticator, encrypted using the TGS Session Key
  2. TGS decrypts the TGT using the AS’s private key, which gives it the session key.
  3. TGS uses the session key to decrypt the Authenticator
  4. TGS checks that the client has access to the requested service (using AD)
  5. TGS sends to client:
    • Client/Server Ticket, encrypted with the Service Server’s (SS) private key (the TGS has the SS’s private keys)
    • Client/Server Session Key, encrypted with the TGS Session Key

Now the client has enough information to access the Service Server.

Stage 3 - Accessing the Service Server

  1. Client sends to SS:
    • Client/Server Ticket (still encrypted with service’s private key)
    • A new Authenticator, encrypted using Client/Server Session Key
  2. SS decrypts the Client/Server Ticket using its private key
  3. SS uses the Client/Server Ticket to decrypt the Authenticator
  4. SS sends to client a message with the timestamp encoded in the Authenticator, encrypted with the Client/Server Ticket
  5. This verifies to the client that the SS can be trusted and is willing to service the client

Now the client and the SS can interact.

Active Directory