Overview [1]#

TGS Exchange (TGS-REQ-REP) is the Authentication Method between the Ticket Granting Service and the Kerberos Client when requesting access to a ResourceTGS Exchange includes:

• TGS_REQ
• TGS_REP

Kerberos requires a Service Ticket be presented to the Service Provider to obtain access to a Resource

The client presents the Ticket Granting Ticket to the Ticket Granting Service when desiring access to a Protected Resource on a Service Provider.

The Ticket Granting Service authenticates the user's Ticket Granting Ticket and creates a Service Ticket and Client-To-Server Session Key for both the client and the remote Service Provider. The Service Ticket may be stored in cache on the local device.

The Ticket Granting Service receives the client's Ticket Granting Ticket and reads it using its own key.

If the Ticket Granting Service approves of the client's request, a Service Ticket is generated for both the client and the target Service Provider.

After TGS Exchange#

Only when the Client Service Ticket and Client-To-Server Session Key are obtained can the Client attempt to access a Protected Resource using the Client-Server Exchange!! More Information There might be more information for this subject on one of the following:

• AS Exchange
• Client-Server Exchange
• Exchange
• Kerberos
• Service Ticket
• TGS Session Key
• TGS-REQ-REP
• Ticket Granting Service

---

• [#1] - Kerberos ExplainedContent unavailable! (broken link)https://ldapwiki.com/wiki/images/out.png - based on information obtained 2007-04-21-