3.1. The Authentication Service Exchange
Overview
The Authentication Service (AS) exchange is the first interaction between a client and the Kerberos system. It results in the client obtaining a Ticket-Granting Ticket (TGT) that can be used for subsequent ticket requests.
Message Flow
- KRB_AS_REQ: Client sends authentication request to AS
- KRB_AS_REP: AS responds with TGT and session key (encrypted in client's key)
- KRB_ERROR: Returned if request cannot be satisfied
Key Components
Generation of KRB_AS_REQ Message
The client constructs a request containing:
- Principal name
- Realm
- Requested ticket options
- Timestamp (for pre-authentication)
- Encryption type preferences
Receipt and Processing
The AS validates the request and checks:
- Principal exists in database
- Pre-authentication requirements
- Policy constraints
- Requested options
Generation of KRB_AS_REP Message
If request is valid, AS constructs reply containing:
- TGT (encrypted in TGS's key)
- Session key (encrypted in client's key)
- Ticket expiration times
Error Handling
If request cannot be satisfied, KRB_ERROR message is returned with appropriate error code.
Security Considerations
- Client's long-term key is used to protect the AS reply
- Pre-authentication can be required to prevent offline dictionary attacks
- Timestamp in request provides replay protection
Related Subsections
- 3.1.1. Generation of KRB_AS_REQ Message
- 3.1.2. Receipt of KRB_AS_REQ Message
- 3.1.3. Generation of KRB_AS_REP Message
- 3.1.4. Generation of KRB_ERROR Message
- 3.1.5. Receipt of KRB_AS_REP Message
- 3.1.6. Receipt of KRB_ERROR Message
Reference
For complete technical details, refer to RFC 4120 Section 3.1.