Kerberos Authentication

This topic describes the basic principles of Kerberos authentication and provides information on how to use this authentication method in Rochade.

Kerberos has these characteristics:

• Authentication involves three parties: The client (for example, a Rochade component such as Metability), the server (for example, a Rochade Server), and the Kerberos key distribution center (KDC).
• When the operating system self is integrated in Kerberos, the user authentication is done in Kerberos directly, otherwise a kinit call is required.

Is the authentication successfully, the client receives a ticket granting ticket (TGT) from the KDC.

• If a user wants to access a specific service (for example, a Rochade Server), the client uses the TGT to request from the KDC a ticket for the service (a service ticket), which it then sends to the service to validate the user’s identity.
• The client and the KDC identify services through their unique service principal name (SPN). The KDC includes the SPN in the service ticket and encrypts the ticket using an encryption key that is known only to the service and the KDC.
• Since the KDC encrypts each ticket using a key that is known only to the recipient of the ticket, Kerberos is protected against eavesdropping and data manipulation.

In addition, the inclusion of timestamps and the short lifespan of service tickets effectively prevents replay attacks. This, however, means that the clocks of clients, servers, and KDC must be synchronized.

• Because the user’s identity must be verified by the KDC only once and is proven to services through service tickets, Kerberos provides a single-sign-on (SSO) solution for authenticating users to services such as a Rochade Server.

For a detailed introduction to Kerberos, see the Microsoft TechNet article provided at http://technet.microsoft.com/en-us/library/bb742431.aspx, for example.