3.2. The Client/Server Authentication Exchange

Overview

The Client/Server (CS) authentication exchange is used when a client wishes to authenticate to an application server using a service ticket obtained from the TGS.

Message Flow

KRB_AP_REQ: Client sends authentication request to application server
- Contains service ticket
- Contains authenticator (encrypted with session key)
KRB_AP_REP: Optional mutual authentication response from server

The KRB_AP_REQ Message

Components

Ticket: Encrypted in server's long-term key, contains:
- Client identity
- Session key
- Validity period
Authenticator: Encrypted in session key, contains:
- Client principal name
- Timestamp
- Optional sub-session key

Generation Process

Client constructs the authenticator and packages it with the ticket for transmission to the application server.

Receipt and Verification

Application server:

Decrypts the ticket using its long-term key
Extracts the session key
Decrypts and validates the authenticator
Checks timestamp for replay protection

The KRB_AP_REP Message

Purpose

Provides mutual authentication - proves to client that server possesses the session key.

Generation

Server creates reply encrypted with the session key, containing timestamp from client's authenticator.

Receipt

Client verifies the timestamp to confirm server's possession of session key.

Using the Encryption Key

After successful authentication, the session key (or optional sub-session key) can be used to:

Encrypt subsequent messages
Provide integrity protection
Establish secure channel

Reference

For complete technical details, refer to RFC 4120 Section 3.2.

Overview​

Message Flow​

The KRB_AP_REQ Message​

Components​

Generation Process​

Receipt and Verification​

The KRB_AP_REP Message​

Purpose​

Generation​

Receipt​

Using the Encryption Key​

Reference​