Specifications
Chapter 3 Open Directory Authentication 49
About the Kerberos Authentication Process
There are several phases to Kerberos authentication. In the rst phase, the client
obtains credentials to be used to request access to Kerberized services. In the second
phase, the client requests authentication for a specic service. In the nal phase, the
client presents those credentials to the service.
The following illustration summarizes these activities. The service and the client can be
the same entity (such as the login window) or two entities (such as a mail client and
the mail server).
Key Distribution
Center (KDC)
Kerberized
service
1
2
3
4
5
6
Client
Kerberos Authentication Process:
1 The client authenticates to a Kerberos KDC, which interacts with realms to access
authentication data.
This is the only step in which passwords and associated password policy information
are be checked.
2 The KDC issues a ticket-granting ticket to the client.
The ticket is the credential needed when the client wants to use Kerberized services
and is good for a congurable period of time, but it can be revoked before expiration.
It is cached on the client until it expires.
3 The client contacts the KDC with the ticket-granting ticket when it wants to use a
Kerberized service.
4 The KDC issues a ticket for that service.
5 The client presents the ticket to the service.
6 The service authenticates the client by verifying that the ticket is valid.
After authenticating the client, the service determines if the client is authorized to use
the service.
Kerberos only authenticates clients; it does not authorize them to use services. For
example, many services use Mac OS X Server’s service access control lists (SACLs) to
determine whether a client is authorized to use the service.
Kerberos never sends a password or password policy information to a service. After a
ticket-granting ticket is obtained, no password information is provided.