credentials
(name/password).Active Directory
(AD
) user account information, in order to verify the given credentials
.Ticket Getting Ticket
(TGT
).
* The TGT
allows user to obtain service session tickets to access servers in the domain, without having to enter the credentials again.
* The TGT
is good for 10 hours by default (it's configurable).TGT
to the KDC
to obtain a Service (Sesion) Ticket
(ST
).KDC's
Ticket Granting Service
(TGS
) component authenticates the TGT
and grants an ST
.
* The ST
consists of a ticket
and a session key
.
* An ST
is created for both the client and the server being accessed.ST
to create a session with the service on the server. TGS
within the ST
, and the client is authenticated to the server.
* The heart of the solution is that the credentials
are only used during login.
* They are not passed from client to server ever again.
* Neither name or pwd is sent over the wire.
* Why use it. * How's it compare to Impersonation?
Wow..it's there on page 938 onwards. Actually…go back to Page 933 and read that…