Three parties are involved in Kerberos Based Authentication – Client, Server and a Kerberos Distribution Centre.
The diagram below clearly demonstrates how the interactions between the three parties happen.
1 – Client requests for a TGT (Ticket to Get Tickets) from the KDC (Key Distribution Centre). Client sends its username in plain text format to get the TGT.
2 – KDC returns a TGT to the client. The TGT has the Session Key (SK) which is encrypted with a Key derived from the Client’s password. Hence only the Client will be able to retrieve the Session Key. This Session Key is used for all furthur communications between the Client and the KDC.
3 – The Client requests for a Service Ticket (ST) to the KDC by providing the Service name along with the Session Key for its own identification. The KDC will be able to provide the ST only if the Service is already registered with it.
4 – The KDC creates the Service Ticket. The Service Ticket has the Client’s Authentication Data and a Sub Sesion Key (SSK). The Service Ticket is then encrypted with a Key Derived from the Server’s Key which is shared with the KDC. This ensures that the Service Ticket can only be decrypted by the Server. The KDC then authors a message containing the Service Ticket and a Sub Session Key. The whole message is then encrypted with the Session Key so that only the intended Client can decrypt it.
Pictorially the Message looks like this.
5 – The Client decrypts the Message with the Session Key, retrieves the Service Ticket and the Sub Session Key. It sends the Service Ticket to the Server. This Service Ticket is the SPNEGO Token. The Server decrypts the Service Ticket with its Key and authenticates the Client based on the Clients Authentication Data. Also it gets a copy of a Sub Session Key from the Service Ticket. Now both the Client and the Server have a common key, Sub Session Key, which they use for all further communication.
6 – A session is established and no further authentication is required.