3.3. The Ticket-Granting Service (TGS) Exchange
Overview
The TGS exchange is used by clients to obtain service tickets for application servers. The client uses its Ticket-Granting Ticket (TGT) to authenticate to the TGS and request a service ticket.
Message Flow
- KRB_TGS_REQ: Client sends ticket request to TGS
- Includes TGT
- Includes authenticator
- Specifies desired service
- KRB_TGS_REP: TGS responds with service ticket
- KRB_ERROR: Returned if request cannot be satisfied
Generation of KRB_TGS_REQ Message
Client constructs request containing:
- TGT (from previous AS exchange)
- Authenticator (encrypted with TGT's session key)
- Service principal name
- Requested ticket options and flags
- Requested validity period
Receipt of KRB_TGS_REQ Message
TGS validates the request:
- Decrypts and validates the TGT
- Decrypts and validates the authenticator
- Checks authorization
- Verifies policy constraints
- Processes special options (RENEW, VALIDATE, PROXY, FORWARDED, etc.)
Generation of KRB_TGS_REP Message
If request is valid, TGS issues service ticket:
- Encrypts ticket in service's long-term key
- Encrypts reply (containing session key) in TGT's session key
- Sets appropriate ticket flags
- Establishes ticket validity period
Receipt of KRB_TGS_REP Message
Client:
- Decrypts reply using TGT's session key
- Extracts new service ticket and session key
- Can now authenticate to the requested service
Special Processing
The TGS handles various special cases:
- Ticket renewal
- Ticket validation (for postdated tickets)
- Proxy and forwarded ticket requests
- Cross-realm referrals
- User-to-user authentication
Reference
For complete technical details, refer to RFC 4120 Section 3.3.