General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1  19


                 Figure 1.4 Kerberos Required Components
                                 Client
                           (User, Service, or Machine)
                                                                        Resource Server
                                                                          or Storage
                                                    Key Distribution
                                                     Center (KDC)
















                    As can be seen in Figure 1.4, there is an authentication server requirement (the
                 KDC). In a Kerberos realm, whether in a UNIX-based or Windows-based OS, the
                 authentication process is the same. For this purpose, imagine that a client needs to
                 access a resource on the resource server. Look at Figure 1.5 as we proceed, to
                 follow the path for the authentication, first for logon, then at Figure 1.6 for the
                 resource access path.

                 Figure 1.5 Authentication Path for Logon Access in a Kerberos Realm

                                        3:  TGT is cached  1:  During logon,
                                       locally while user or  credential validated  Key Distribution
                                       service is logged on
                                                            by KDC      Center (KDC)




                                                      1
                                                      2

                                  Client
                            (User, Service, or Machine)
                                                          2:  KDC, after
                                                          authentication,
                                                           issues a TGT




                                                                              www.syngress.com