Page 36 - StudyBook.pdf
P. 36
20 Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing
As seen in Figure 1.5, two events are occurring as credentials are presented
(password, Smart Card, biometrics) to the KDC for authentication.This is due to
the dual role of the KDC. It acts as both an Authentication Server and as a Ticket
Granting Server. First, the authentication credential is presented to the KDC where
it is authenticated using the Authentication Server mechanism. Secondly, the KDC
issues a Ticket Granting Ticket (TGT) through the Ticket Granting Server mecha-
nism that is associated with the access token while you are actively logged in and
authenticated.This TGT expires when you (or the service) disconnect or log off
the network, or after it times out.The Kerberos administrator can alter the expiry
timeout as needed to fit the organizational needs, but the default is one day (86400
seconds).This TGT is cached locally for use during the active session.
Figure 1.6 shows the process for resource access in a Kerberos realm. It starts by
presenting the previously granted TGT to the authenticating KDC.The authenti-
cating KDC returns a session ticket to the entity wishing access to the resource.
This session ticket is then presented to the remote resource server.The remote
resource server, after accepting the session ticket, allows the session to be established
to the resource.
Figure 1.6 Resource Access in Kerberos Realms
Key Distribution
Center (KDC)
2: Session Ticket
3: Session Ticket
1: TGT Presented returned to requesting presented to target
client or service server or resource
4: Session
established,
1 communication
allowed for session
2 duration.
3
4
Client
(User, Service, or Machine) Resource Server
or Storage
www.syngress.com
