Ticket-Granting Service (TGS) Exchange
To request a ticket for another service from the KDC, the following process is used.
- The Kerberos client on the user's workstation requests credentials for the service by sending a message of type KRB_TGS_REQ (Kerberos Ticket-Granting Service Request). This message consists of the identity of the service for which the client is requesting credentials, an authenticator message encrypted with the user's new logon session key, and the TGT obtained from the Authentication Service (AS) Exchange.
- When it receives a KRB_TGS_REQ, the KDC decrypts the TGT with its secret key and extracts the user's logon session key.
- The KDC uses the logon session key to decrypt the user's authenticator message and evaluates that. If the authenticator passes the test, the KDC extracts the user's authorization data from the TGT and invents a session key for the user to share with the desired server
- The KDC encrypts one copy of the service session key with the user's logon session key.
- The KDC embeds another copy of the service session key in a ticket, along with the user's authorization data, and encrypts the ticket with the server's master key.
- The KDC sends these credentials back to the client by replying with a message of type KRB_TGS_REP (Kerberos Ticket-Granting Service Reply).
- When the client receives the reply, it decrypts the service session key with the user's logon session key, and stores the service session key in its ticket cache.
- The client extracts the ticket to the server and stores that in its ticket cache.