I'm reading the Authentication Service [AS] message exchange in RFC1510 [Kerberos Network Authentication Service V5].
Message Direction Message Type
Client to Kerberos KRB_AS_REQ message
Kerberos to Client KRB_AS_REP or KRB_ERROR message
The authentication service message exchange between the client and the authentication server is usually initiated by the client when it wishes to obtain authentication credentials for a given server, but currently holds no credentials.
The authentication service message exchange is typically used at the initiation of a login session, to obtain credentials for a ticket-granting server [TGS], which will subsequently be used to to obtain credentials for other servers, without requiring further use of the client's secret key.
q1]: Why is the AS exchange initiated at the Login session? [Note: Please don't say to obtain credentials for a TGS. Why you ask? My answer would be from Section A: I can reasonably conclude that AS message exchange is capable of obtaining credentials for any server, the client requests. So then why would I need the credentials for the TGS? Anyone correct me if I'm wrong]
q2]: Is TGS another Kerberos Server?
//EDIT: The AS [initial ticket request to KDC] exchange is initiated at the login session is because, the client obtains a ticket + session key to the ticket-granting service [TGS], which will not only help the client to authenticate itself to TGS, but also to obtain credentials for servers that the client wishes to authenticate. Yes I stand corrected for my explanation for q1.
For q2, Ticket-Granting Ticket that is obtained in the AS exchange is sometimes reffered to as Ticket-Granting Server.
If what I wrote per my understanding of reading and re-reading is incorrect, feel free to correct me.
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
The administrator has disabled public write access.