Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Kerberos Question

Kerberos Question 10 years 3 months ago #15606

  • FallenZer0
  • FallenZer0's Avatar
  • Offline
  • Senior Member
  • Posts: 259
  • Karma: 0
Hello All,

I'm reading the Authentication Service [AS] message exchange in RFC1510 [Kerberos Network Authentication Service V5].

Message Direction Message Type

Client to Kerberos KRB_AS_REQ message
Kerberos to Client KRB_AS_REP or KRB_ERROR message

Section A:

The authentication service message exchange between the client and the authentication server is usually initiated by the client when it wishes to obtain authentication credentials for a given server, but currently holds no credentials.

Section B:

The authentication service message exchange is typically used at the initiation of a login session, to obtain credentials for a ticket-granting server [TGS], which will subsequently be used to to obtain credentials for other servers, without requiring further use of the client's secret key.

q1]: Why is the AS exchange initiated at the Login session? [Note: Please don't say to obtain credentials for a TGS. Why you ask? My answer would be from Section A: I can reasonably conclude that AS message exchange is capable of obtaining credentials for any server, the client requests. So then why would I need the credentials for the TGS? Anyone correct me if I'm wrong]

q2]: Is TGS another Kerberos Server?

//EDIT: The AS [initial ticket request to KDC] exchange is initiated at the login session is because, the client obtains a ticket + session key to the ticket-granting service [TGS], which will not only help the client to authenticate itself to TGS, but also to obtain credentials for servers that the client wishes to authenticate. Yes I stand corrected for my explanation for q1.

For q2, Ticket-Granting Ticket that is obtained in the AS exchange is sometimes reffered to as Ticket-Granting Server.

If what I wrote per my understanding of reading and re-reading is incorrect, feel free to correct me.


-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
The administrator has disabled public write access.
Time to create page: 0.074 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup