The Kerberos authentication process works as follows:
A client application requests a “ticket” from the Kerberos server to access a specific service.
The Kerberos server returns the ticket, which contains two packets, to the client: The first packet is encrypted using the user password. The second packet is encrypted using the service password. Inside each of these packets is a “session key.”
The client decrypts the user packet to get the session key.
The client creates a new authentication packet and encrypts it using the session key.
The client sends the authentication packet and the service packet to the service.
The service decrypts the service packet to get the session key and decrypts the authentication packet to get the user information.
The service compares the user information from the authentication packet with the user information that was also contained in the service packet. If the two match, the user has been authenticated.
The service creates a confirmation packet that contains service specific information, as well as validation data contained in the authentication packet.
The service encrypts this data with the session key and returns it to the client.
The client uses the session key obtained from the user packet it received from Kerberos to decrypt the packet and validates that the service is what it claims to be.
In this way, the user and the service are mutually authenticated. All future communication between the client and the service (in this case, the Adaptive Server database server) will be encrypted using the session key. This successfully protects all data sent between the service and client from unwanted viewers.
