To get access to the service in the server, the client builds an authenticator encrypted with a session key. The client then sends the authenticator and the server ticket to the server in a way that is defined by the application, for example, using an SMB session setup message.
Figure 8 shows the messages exchanged in a Kerberos process.
Figure 8. Simplified Kerberos authentication process
- The client sends an as_req message to AS for requesting a TGT.
- AS replies with an as_rep message to the client. The message contains a session key between the client and TGS, and a TGT encrypted with a TGS secret key.
- The client sends a tgs_req message to TGS for requesting a ticket for the server. The message contains an authenticator encrypted with the session key, a TGT, and other information.
- TGT replies with a tgs_rep message to the client. The message contains a new session key for the client and a ticket for the target server encrypted with the server’s secret key.
- The client sends an ap_req message to the server. The message contains an authenticator encrypted with the new session key and the encrypted server ticket.
- This response is optional and only used when the user requires mutual-authentication by the server.