Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Kerberos authentication

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
The Kerberos architecture is designed around messages exchange between three kinds of entities:

  1. The clients that use kerberos services.
  2. The servers that provide services (The clients and servers are collectively referred to as principals).
  3. The servers that manage the Kerberos protocol itself. These servers are often called KDCs (Key Distribution Centers), and comprise of several modular services.

How Kerberos works

The Kerberos authentication system is built on top of tickets (also called as credentials). The core idea behind Kerberos is that a client does not provide its account password to each service with which it wants to interact with. Instead, a client sends a request for a ticket to the Key Distribution Center (KDC) (see figure 1). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT which means the client provides the correct password, the client keeps the decrypted TGT indicating the proof of client's identity. The following diagram displays the communication between the client, KDC and the server.

kerberos.jpg

When the client requests connection to a service, the KDC responds by sending it a service ticket. A service ticket is used to authenticate with services other than the Ticket Granting Service (TGS) and is meant only for the target service. A service ticket is encrypted with a service key, which is a long-term key shared between the KDC and the target service. Thus, although the client manages the service ticket, the client cannot read it. Only the KDC and the target service can read tickets, enabling secure access to user credentials, the session key, and other information.

A client can uniquely identify an instance of a service by a service principal name (SPN). A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

The advantage of the Kerberos authentication system is that each service gets only the ticket for that service. A client doesn't hand over its password, and therefore the service doesn't have an opportunity to grab the client's password and use it to impersonate the client.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*