Overview #

The Authentication Service (AS) Exchange between the Client-Principal and the Kerberos Authentication Server is initiated when a Client-Principal wishes to obtain authentication credentials for a given server but currently holds no credentials.

The authentication service request/response exchange is the Kerberos TGT request and reply messages sent to the KDC from the client. If the exchange is successful, the client is provided with a TGT.

AS does not verify that the Client-Principal issuing a request is a valid client, it blindly returns a ticket that an attacker won't be able to process if he does not have the Client-Principal's password.

The AS is a component of a Kerberos system which authenticates clients, and TGT that the client can send to the TGS to get a Client-To-Server Ticket.

In its basic form, the Client-Principal's secret key is used for encryption and decryption. This exchange is typically used at the initiation of a login session to obtain credentials for a Ticket-Granting Server, which will subsequently be used to obtain credentials for other services without requiring further use of the Client-Principal's secret key.

The AS exchange may also used to request credentials for services that must not be mediated through the Ticket-Granting Service, but rather require knowledge of a Client-Principal's secret key, such as the password change service (the password-changing service denies requests unless the requester can demonstrate knowledge of the user's old password; requiring this knowledge prevents unauthorized password changes by someone walking up to an unattended session).


The AS-REQ-REP shows details of the operations.

More Information #

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 12-Nov-2013 17:53 by jim