On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication
> Server , when
> delivering the TGT, does not directly issued the service ticket? (so
> I do
> not see why have complicated the protocol by introducing the TGS)

If you're going to contact a dozen services during your login session,
the TGT will let you get service tickets for them without asking for
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them
all at once and prompt for the password only once, but that only works
if you know what all of them are when you log in; for a realm with
possibly thousands of servers, you can't practically get Kerberos
style credentials (dependent on shared secrets between the KDC and
each individual service, hence needing different credentials for each
service) for all of them at login time just in case you might want to
talk to them later. It also doesn't help in the cross-realm
authentication case, where you need credentials to send to some other
site's KDC, so it can issue you credentials to talk to one or more
services at that site; this is also done with a kind of TGT issued by
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get
additional tickets as you need them during your session, without
having to decide up front.