3.6. The KRB_CRED Exchange
Overview
The KRB_CRED message is used to forward Kerberos credentials (tickets and session keys) from one principal to another. This enables delegation scenarios where a service needs to act on behalf of a client.
Purpose
KRB_CRED is used for:
- Credential forwarding
- Delegation of authentication rights
- Passing tickets between systems
- Supporting credential caching
Message Structure
KRB_CRED contains:
- One or more tickets
- Corresponding session keys and metadata (encrypted)
- Optional timestamp
- Optional sender and recipient addresses
Generation of KRB_CRED Message
Sender:
- Selects tickets and credentials to forward
- Encrypts sensitive information (session keys, etc.)
- Packages tickets with encrypted credential information
- Transmits KRB_CRED message
Receipt of KRB_CRED Message
Receiver:
- Decrypts credential information
- Verifies timestamp if present
- Stores tickets and session keys for later use
- Can now use forwarded credentials to authenticate to services
Security Considerations
- Credentials should only be forwarded over secure channels
- Receiver must be trusted to use credentials appropriately
- Forwarded credentials may have restricted capabilities (see ticket flags)
- Timestamp provides some replay protection
Use Cases
- Authentication Forwarding: User logs in to remote system, credentials forwarded for local use
- Service Delegation: Web server receives credentials to access backend database on behalf of user
- Credential Caching: Storing credentials for later use
Reference
For complete technical details, refer to RFC 4120 Section 3.6.