Database Reference
In-Depth Information
Authenticating a user
In Kerberos, authentication is performed without the user's password being sent over the
wire. The following are the sequence of steps to authenticate a user:
1. The user boots up their computer that is connected to the network and enters their
credentials (username and password).
2. The computer generates an authenticator packet that is encrypted using the user's
password and sends it to KDC. A key thing to note here is that the password is not
sent to KDC.
3. When the authenticator packet is received by KDC, it uses the shared secret pass-
word to decrypt it. If KDC can decrypt the packet, it trusts this user and provides a
Ticket Granting Ticket
(
TGT
), thus authenticating the user to log in to the net-
work. The TGT has a limited validity period and resides on the user's computer.
4. If the KDC can't decrypt the packet, the user authentication fails, and the user is
not allowed to log in to the network.
