Connected: An Internet Encyclopedia
3.2.1. The KRB_AP_REQ message

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1510
Up: 3. Message Exchanges
Up: 3.2. The Client/Server Authentication Exchange
Prev: 3.2. The Client/Server Authentication Exchange
Next: 3.2.2. Generation of a KRB_AP_REQ message

3.2.1. The KRB_AP_REQ message

3.2.1. The KRB_AP_REQ message

The KRB_AP_REQ contains authentication information which should be part of the first message in an authenticated transaction. It contains a ticket, an authenticator, and some additional bookkeeping information (see section 5.5.1 for the exact format). The ticket by itself is insufficient to authenticate a client, since tickets are passed across the network in cleartext(Tickets contain both an encrypted and unencrypted portion, so cleartext here refers to the entire unit, which can be copied from one message and replayed in another without any cryptographic skill.), so the authenticator is used to prevent invalid replay of tickets by proving to the server that the client knows the session key of the ticket and thus is entitled to use it. The KRB_AP_REQ message is referred to elsewhere as the "authentication header."


Next: 3.2.2. Generation of a KRB_AP_REQ message

Connected: An Internet Encyclopedia
3.2.1. The KRB_AP_REQ message