Kerberos authentication
Kerberos is a trusted third-party authentication service that is used to provide authentication service for client and server applications by using secret-key cryptography. The clients and servers are collectively referred to as principals. Kerberos uses a database that contains the private keys of clients and servers. The private keys are used to authenticate different clients and servers on a network. Kerberos also generates temporary session keys that are shared between a client and a server to communicate with each other. All communications between a client and server are then encrypted with the temporary session key.
The Kerberos architecture consists of the following entities and several modular services:
- Clients that need to use services provided by a server.
- Servers that provide services to clients.
- Key Distribution Center that manages the Kerberos protocol, such as generation of session keys.
The following table provides the Kerberos authentication logon workflow:
| Stage | Description |
|---|---|
| 1 | User accesses the protected application from a client, such as a web browser. |
| 2 | The Remedy SSO Agent redirects the user to the Remedy Single Sign-On (Remedy SSO) console. |
| 3 | Remedy SSO sends to the client a 401 un-authorized request setting the header to “www-authenticate:Negotiate”. |
| 4 | The client obtains a Kerberos service ticket from the Key Distribution Center (KDC) using the ticket-granting ticket (TGT). |
| 5 | The client sends the service ticket to the Remedy SSO server in a special HTTP header, called Authorization. The value of this header looks like a Negotiate base64(token) header. |
| 6 | Remedy SSO validates the token with KDC. |
| 7 | Remedy SSO creates a session for the user’s access request. |
| 8 | The user accesses the protected application. |
Comments
Log in or register to comment.