Authentication Service (AS) Exchange

The user begins logging on to the network by typing a logon name and password. The Kerberos client on the user's workstation converts the password to an encryption key and saves the result in a program variable.

The client then requests credentials for the KDC's ticket-granting service by sending the KDC's authentication service a message of type KRB_AS_REQ (Kerberos Authentication Service Request). The first part of this message identifies the user and the TGS service being requested. The second part of the message contains pre-authentication data intended to prove that user knows the password. This is simply an authenticator message encrypted with the master key derived from the user's login password.

When the KDC receives KRB_AS_REQ, it looks up the user in its database, gets the associated user's master key, decrypts the pre-authentication data, and evaluates the timestamp inside. If the timestamp is valid, the KDC can be assured that the pre-authentication data was encrypted with the user's master key and thus that the client is genuine.

Once it has verified the user's identity, the KDC creates credentials that the client can present to the ticket-granting service.

1. It invents a logon session key and encrypts a copy with the user's master key.
2. It embeds another copy of the logon session key and the user's authorization data in a TGT, and encrypts the TGT with the KDC's own master key.
3. The KDC sends these credentials back to the client by replying with a message of type KRB_AS_REP (Kerberos Authentication Service Reply).
4. When the client receives the reply, it uses the key derived from the user's password to decrypt the new logon session key.
5. The client stores the new key in its ticket cache.
6. The client extracts the TGT from the message and stores that in its ticket cache as well.