Kerberos concepts

Network authentication service uses the Kerberos protocol terms including KDC, principal, key table, and Kerberos tickets.

KDC, principal, and key table

The key distribution center (KDC), also known as the Kerberos server, is composed of the authentication server and the ticket-granting server. The authentication server issues ticket-granting tickets and the ticket-granting server issues service tickets. It is important that you use a secure machine to act as your Kerberos server. If someone gained access to the Kerberos server, your entire realm might be compromised.

In a Kerberos realm, the term principal refers to the name of a user or service. On the IBM® i operating system, the krbsvr400 service principal is used to identify the service used by IBM i Access Client Solutions, QFileSrv.400, and Telnet servers when authenticating from the client to the IBM i platform.

The key table is composed of entries that contain the service principal's name and secret key. On the IBM i operating system, a key table file is created during configuration of network authentication service. When a service requests authentication to a system with network authentication service configured, the operating system checks the key table file for that service's credentials.

To ensure that users and services are authenticated properly, you must have users and services created on the Kerberos server and on IBM i. Entries are added to the key table during the processing of the Network Authentication Service wizard. You can also add entries to the key table by using the keytab command from within the Qshell Interpreter in the character-based interface.

Note: This Domain Name System (DNS) name must be the same as the host name defined on the machine. For more information about how DNS and Kerberos work together, see Host name resolution considerations.

Kerberos tickets

A Kerberos ticket is a transparent application mechanism that transmits the identity of an initiating principal to its target. A simple ticket contains the principal's identity, a session key, a timestamp, and other information, which is sealed using the target's secret key. Kerberos tickets can be renewable, forwardable, or proxiable.

Forwardable tickets let you transfer your complete identity (TGT) to another machine, where proxiable tickets only let you transfer particular tickets. Proxiable tickets allow a service to perform a task on behalf of a principal. The service must be able to take on the identity of the principal for a particular purpose. A proxiable ticket tells the Kerberos server that it can issue a new ticket to a different network address, based on the original ticket-granting ticket. With proxiable tickets, a password is not required.

In some cases, an application or a service might want to have tickets that are valid for an extended period of time. However, the extended time might allow someone to steal these credentials, which are valid until the ticket expires. Renewable tickets allow for applications to obtain tickets that are valid for extended periods. Renewable tickets contain two expiration times. The first expiration applies to the current instance of the ticket and the second time applies to the latest permissible expiration for the ticket.