3. Message Exchanges
The following sections describe the interactions between network clients and servers and the messages involved in those exchanges.
Overview
The Kerberos protocol consists of several message exchange patterns that enable authentication and secure communication. This chapter describes the detailed message flows and requirements for each exchange type.
Exchange Types
Authentication Service (AS) Exchange
The AS exchange is used when a client first authenticates to the Kerberos system to obtain a Ticket-Granting Ticket (TGT).
Client/Server Authentication Exchange
Used when a client authenticates directly to an application server using a service ticket.
Ticket-Granting Service (TGS) Exchange
The TGS exchange is used to obtain service tickets using an existing TGT.
Secure Message Exchanges
- KRB_SAFE: Provides integrity protection for messages
- KRB_PRIV: Provides confidentiality and integrity protection
- KRB_CRED: Used for credential forwarding
User-to-User Authentication
Supports peer-to-peer authentication scenarios.
Related Sections
- 3.1. The Authentication Service Exchange
- 3.2. The Client/Server Authentication Exchange
- 3.3. The Ticket-Granting Service (TGS) Exchange
- 3.4. The KRB_SAFE Exchange
- 3.5. The KRB_PRIV Exchange
- 3.6. The KRB_CRED Exchange
- 3.7. User-to-User Authentication Exchanges
Reference
For complete technical details of all message exchanges, refer to RFC 4120 Section 3.