Consolidated Platform Configuration Guide, Cisco Ios Release 15.2(4)E (Catalyst 2960-X Switches - Cisco Catalyst 2960 series Configuration Manual

Information About Kerberos
Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must now
authenticate to a key distribution center (KDC) and obtain a ticket granting ticket (TGT) from the KDC to
access network services.
When a remote user authenticates to a boundary device, that user technically becomes part of the network;
that is, the network is extended to include the remote user and the user's machine or network. To gain access
to network services, however, the remote user must obtain a TGT from the KDC. The following process
describes how remote users authenticate to the KDC:
1 The remote user, at a workstation on a remote site, launches the KINIT program (part of the client software
provided with the Kerberos protocol).
2 The KINIT program finds the identity of the user and requests a TGT from the KDC.
3 The KDC creates a TGT, which contains the identity of the user, the identity of the KDC, and the expiration
time of the TGT.
4 Using the user's password as a key, the KDC encrypts the TGT and sends the TGT to the workstation.
5 When the KINIT program receives the encrypted TGT, it prompts the user for a password (this is the
password that is defined for the user in the KDC).
6 If the KINIT program can decrypt the TGT with the password the user enters, the user is authenticated to
the KDC, and the KINIT program stores the TGT in the user's credential cache.
At this point, the user has a TGT and can communicate securely with the KDC. In turn, the TGT allows the
user to authenticate to other network services.
Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with a ticket
granting ticket (TGT) must now authenticate to the network services in a Kerberos realm.
The following process describes how a remote user with a TGT authenticates to network services within a
given Kerberos realm. Assume the user is on a remote workstation (Host A) and wants to log in to Host B.
1 The user on Host A initiates a Kerberized application (such as Telnet) to Host B.
2 The Kerberized application builds a service credential request and sends it to the KDC. The service
credential request includes (among other things) the user's identity and the identity of the desired network
service. The TGT is used to encrypt the service credential request.
3 The KDC tries to decrypt the service credential request with the TGT it issued to the user on Host A. If
the KDC can decrypt the packet, it is assured that the authenticated user on Host A sent the request.
4 The KDC notes the network service identity in the service credential request.
5 The KDC builds a service credential for the appropriate network service on Host B on behalf of the user
on Host A. The service credential contains the client's identity and the desired network service's identity.
6 The KDC then encrypts the service credential twice. It first encrypts the credential with the SRVTAB that
it shares with the network service identified in the credential. It then encrypts the resulting packet with
the TGT of the user (who, in this case, is on Host A).
7 The KDC sends the twice-encrypted credential to Host A.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)

984