The Key Distribution Center has access to the Kerberos Database (Microsoft Active Directory) user account information and the Kerberos Authentication Service will check if you are in the Kerberos Database. This check is only to see if the entity exist (ie no credentials are checked) the user is granted a Ticket to Get Tickets (Ticket Granting Ticket) that is valid for the Kerberos Realm.
The Ticket Granting Ticket has a default lifetime of 10 hours and may be renewed throughout the user's log-on session without requiring the user to re-enter his password. The Ticket Granting Ticket ma be put in cache on the local device or in Random Access Memory space and used to request Kerberos sessions with Resources throughout the network.client send a request to the AS which identifies the client to the KDC in plaintext consisting of:
- Client-Principal - (e.g. email@example.com)
- Principal Service - "krbtgt/REALM@REALM"
- IPA List - Which maybe one or more IP Address or null
- Lifetime - is the maximum validity time (requested) for the Ticket Granting Ticket to be issued.
If the KDC reads a valid time when using the user's password-hash (stored in the Microsoft Active Directory) for decryption of the timestamp, the KDC knows that request isn't a replay attack of a previous request.request arrives, the Kerberos Authentication Service checks whether
- Client-Principal exist in the Kerberos Database
- Service-Principal exist in the Kerberos Database
- Randomly Creates a TGS Session Key shared between the client and the Ticket Granting Service
- creates the Ticket Granting Ticket putting inside:
It may seem that this message contains redundant information (Service-Principal, timestamp, lifetime and TGS Session Key). However since the information present in the Ticket Granting Ticket is encrypted using the TGS Session Key for the server (KTGS), the TGT cannot be read by the client and needs to be repeated.
The salt is concatenated with the password and then the string2key function is applied: with the resulting key and used for decryption of the part of the message encrypted by the AS using the Secret-key of the user stored in the Kerberos Database. If the user is really who he/she says, and has thus entered the correct password, the decryption operation will be successful and thus the TGS Session Key can be extracted and with the TGT (which remains encrypted) stored in the user's credential cache.Kerberos implementations (Microsoft Windows) the lifetime can be set from the configuration of the KDC and applied to any ticket.