Note that you *can* get a service ticket when you authenticate. In fact
this is required by some highly secure service such as kpasswd. But this
is exceptional

-----Original Message-----
From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On
Behalf Of Ken Raeburn
Sent: Monday, August 04, 2008 9:20 AM
To: kisito
Cc: kerberos@MIT.EDU
Subject: Re: Kerboros explain

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication Server ,


> when delivering the TGT, does not directly issued the service ticket?
> (so I do not see why have complicated the protocol by introducing the
> TGS)


If you're going to contact a dozen services during your login session,
the TGT will let you get service tickets for them without asking for
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them
all at once and prompt for the password only once, but that only works
if you know what all of them are when you log in; for a realm with
possibly thousands of servers, you can't practically get Kerberos style
credentials (dependent on shared secrets between the KDC and each
individual service, hence needing different credentials for each
service) for all of them at login time just in case you might want to
talk to them later. It also doesn't help in the cross-realm
authentication case, where you need credentials to send to some other
site's KDC, so it can issue you credentials to talk to one or more
services at that site; this is also done with a kind of TGT issued by
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get
additional tickets as you need them during your session, without having
to decide up front.

Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos