Keytab, service and contacts with the KDC/AD

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Keytab, service and contacts with the KDC/AD

Emmanuel Coirier
Hi everyone !

Last week I had some technical discussion with an experimented guy. He told me that a "kerberized" service needs to contact the KDC to confirm the validity of a client authenticator. And that the keytab contains some credentials needed to contact this KDC.

Since it's an important guy that do a great job, I don't want to openly contradict him. Thus I need to confirm the right Kerberos mechanisms before telling him that he's not completly right about the Kerberos protocol.

I let appart the TGT part of the Kerberos protocol which is out of scope for my question.

My theory is that when a client wants to authenticate with a service, it gets a ticket from the KDC dedicated to that service. Then the client generates an authenticator embedding the retrieved ticket, and adds its identity and a timestamp, encrypted with the session key given along the service ticket by the KDC.

Since the service ticket contains the session key encrypted with the service key, and the service knows its key via the keytab file, the service is able to decrypt the ticket, get the session key, decrypt the remaining part of the authenticator, and compare the identity encrypted with the session key with the identity embedded in the ticket service, enabling it to authenticate the client.

All of this without the service contacting the KDC. That is the most important point.

Am I right ?

Thanks !

--
Emmanuel Coirier

Reply | Threaded
Open this post in threaded view
|

Re: Keytab, service and contacts with the KDC/AD

Ken Hornstein
>Since the service ticket contains the session key encrypted with the
>service key, and the service knows its key via the keytab file, the
>service is able to decrypt the ticket, get the session key, decrypt the
>remaining part of the authenticator, and compare the identity encrypted
>with the session key with the identity embedded in the ticket service,
>enabling it to authenticate the client.
>
>All of this without the service contacting the KDC. That is the most
>important point.
>
>Am I right ?

Yes.

--Ken
Reply | Threaded
Open this post in threaded view
|

Re: Keytab, service and contacts with the KDC/AD

Henry B Hotz
Not to beat a dead horse, but yes. That’s actually a pretty good description of what happens.

Good luck.

> On Oct 4, 2018, at 9:11 AM, Ken Hornstein <[hidden email]> wrote:
>
>> Since the service ticket contains the session key encrypted with the
>> service key, and the service knows its key via the keytab file, the
>> service is able to decrypt the ticket, get the session key, decrypt the
>> remaining part of the authenticator, and compare the identity encrypted
>> with the session key with the identity embedded in the ticket service,
>> enabling it to authenticate the client.
>>
>> All of this without the service contacting the KDC. That is the most
>> important point.
>>
>> Am I right ?
>
> Yes.
>
> --Ken

Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|

RE: Keytab, service and contacts with the KDC/AD

Emmanuel Coirier
Thanks you both for your answers which are very helpfull. Having two different people corroborate my explanation is very valuable!

--
Emmanuel Coirier

-----Message d'origine-----
De : Henry B (Hank) Hotz, CISSP [mailto:[hidden email]]
Envoyé : dimanche 7 octobre 2018 02:59
À : Ken Hornstein
Cc : Emmanuel Coirier; [hidden email]
Objet : Re: Keytab, service and contacts with the KDC/AD

Not to beat a dead horse, but yes. That’s actually a pretty good description of what happens.

Good luck.

> On Oct 4, 2018, at 9:11 AM, Ken Hornstein <[hidden email]> wrote:
>
>> Since the service ticket contains the session key encrypted with the
>> service key, and the service knows its key via the keytab file, the
>> service is able to decrypt the ticket, get the session key, decrypt
>> the remaining part of the authenticator, and compare the identity
>> encrypted with the session key with the identity embedded in the
>> ticket service, enabling it to authenticate the client.
>>
>> All of this without the service contacting the KDC. That is the most
>> important point.
>>
>> Am I right ?
>
> Yes.
>
> --Ken

Personal email.  [hidden email]