Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
38 Chapter 3 User Authentication With Open Directory
Here are examples of realm and principal names; note that realm names are capitalized
by convention to distinguish them from DNS domain names:
Realm: MYREALM.EXAMPLE.COM
User principal: smitty@MYREALM.EXAMPLE.COM
Service principal: afpserver/somehost.example.com@MYREALM.EXAMPLE.COM
Kerberos Authentication Process
There are several phases to Kerberos authentication. In the first phase, the client
obtains credentials to be used to request access to Kerberized services. In the second
phase, the client requests authentication for a specific service. In the final phase, the
client presents those credentials to the service.
The following illustration summarizes these activities. Note that the service and the
client in this picture may be the same entity (such as the login window) or two
different entities (such as a mail client and the mail server).
1 The client authenticates to a Kerberos KDC, which interacts with realms to access
authentication data. This is the only step in which passwords and associated password
policy information needs to be checked.
2 The KDC issues the client a ticket-granting ticket, the credential needed when the client
wants to use Kerberized services. The ticket-granting ticket is good for a configurable
period of time, but can be revoked before expiration. It is cached on the client until it
expires.
3 The client contacts the KDC with the ticket-granting ticket when it wants to use a
particular Kerberized service.
4 The KDC issues a ticket for that service.
5 The client presents the ticket to the service.
6 The service verifies that the ticket is valid. If the ticket is valid, use of the service is
granted to the client if the client is authorized to use the service. (Kerberos only
authenticates clients; it does not authorize them to use services. An AFP server, for
example, needs to consult a users account in a directory domain to obtain the UID.)
The service uses information in the ticket if required to retrieve additional information
about the user from a directory domain.
Key Distribution
Center (KDC)
Kerberized
service
1
2
3
4
5
6
Client
LL2352.Book Page 38 Friday, August 22, 2003 3:12 PM