Ticket-Granting Process
To access a server that is configured for Kerberos, the client (HostExplorer) needs to provide this server with a ticket which verifies your identity.
The ticket-granting process is as follows:
- HostExplorer sends a request to the Authentication Server (AS) for a ticket-granting ticket (TGT).
- The AS returns a TGT to HostExplorer, which provides HostExplorer with access to the TGS. The TGT is used by HostExplorer to obtain service tickets from the TGS without having to provide a password each time it wants to connect to a kerberized service.
- HostExplorer sends a request to the TGS for a service ticket. The request is appended with the TGT received from the AS.
- The TGS uses the TGT to verify HostExplorer's identity, and then issues a ticket to HostExplorer for the desired service.
- HostExplorer sends the service ticket to the server. The server either rejects the ticket or accepts it. If the server accepts the ticket, then the user is considered authenticated and the connection is successful.
Because the server ticket is timestamped, HostExplorer can make additional requests to the server using this same ticket for a certain time period (usually 8 hours) without having to be re-authenticated. Therefore, an attacker who happens to capture the ticket cannot use it after the ticket expires.
For more information about Kerberos security, go to: