Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual page 855

45.2.3 Mutual Authentication
Kerberos authentication can be used in both directions. It is not only a question of the
client being the one it claims to be. The server should also be able to authenticate itself
to the client requesting its service. Therefore, it sends some kind of authenticator itself.
It adds one to the checksum it received in the client's authenticator and encrypts it with
the session key, which is shared between it and the client. The client takes this response
as a proof of the server's authenticity and they both start cooperating.
45.2.4 Ticket Granting—Contacting All
Servers
Tickets are designed to be used for one server at a time. This implies that you have to
get a new ticket each time you request another service. Kerberos implements a mecha-
nism to obtain tickets for individual servers. This service is called the "ticket-granting
service". The ticket-granting service is a service just like any other service mentioned
before, so uses the same access protocols that have already been outlined. Any time an
application needs a ticket that has not already been requested, it contacts the ticket-
granting server. This request consists of the following components:
• The requested principal
• The ticket-granting ticket
• An authenticator
Like any other server, the ticket-granting server now checks the ticket-granting ticket
and the authenticator. If they are considered valid, the ticket-granting server builds a
new session key to be used between the original client and the new server. Then the
ticket for the new server is built, containing the following information:
• The client's principal
• The server's principal
• The current time
• The client's IP address
Network Authentication—Kerberos 837