Getting the TGT

• The client now decrypts the session key using the client’s secret key (which it got from the user’s password)

• Now the user has a session key, Ks1, and a Kerberos ticket-granting-ticket (KRBTGT) encrypted with the TGS’s secret key, E(TGT, KTGS)

• These are stored locally in a file called a credentials cache.

• Notice the user’s password never goes over the network.

Previous slide

Next slide

Back to first slide

View graphic version