Network authentication service terminology

Network authentication service uses these Kerberos protocol terms.

forwardable tickets

Forwardable tickets allow a server to pass on the credentials of the requester to another service. For this to happen, the initial TGT must have been requested with the forwardable option and the server is allowed to delegate credentials.

Kerberos server or key distribution center (KDC)

A network service that provides tickets and temporary session keys. The Kerberos server maintains a database of principals (users and services) and their associated secret keys. It is composed of the authentication server and the ticket-granting server. The authentication server issues ticket-granting tickets, while the ticket-granting server issues service tickets. It is important that you use a secure machine to act as your Kerberos server. If someone gained access to the Kerberos server, your entire realm might be compromised.

key table

A file on the service's host system. Each entry in the file contains the service principal's name and secret key. On the System i™ platform, a key table file is created during configuration of network authentication service. When a service requests authentication to a System i platform with network authentication service configured, the operating system checks the key table file for that service's credentials. To ensure that users and services are authenticated properly, have users and services created on the Kerberos server and on i5/OS^®. Entries are added to the key table during the processing of the Network Authentication Service wizard. You can also add entries to the key table by using the keytab command from within the Qshell Interpreter in a character-based interface.

This Domain Name System (DNS) name must be the same as the host name defined on the machine. For more information about how DNS and Kerberos work together, see Host name resolution considerations.

password server

Allows clients (principals) to change their password on the Kerberos server remotely. The password server typically runs on the same machine as the Kerberos server.

principal

The name of a user or service in a Kerberos realm. A user is considered a person where a service is used to identify a specific application or set of operating system services. On the i5/OS operating system, the krbsvr400 service principal is used to identify the service used by iSeries™ Access for Windows^®, QFileSrv.400, and Telnet servers, when authenticating from the client to the System i platform.

proxiable tickets

A proxiable ticket is a ticket-granting ticket (TGT) that allows you to get a ticket for a service with IP addresses other than those in the TGT. Unlike forwardable tickets, you cannot transfer a new TGT from your current TGT; you can only transfer service tickets. Forwardable tickets let you transfer your complete identity (TGT) to another machine, where proxiable tickets only let you transfer particular tickets. Proxiable tickets allow a service to perform a task on behalf of a principal. The service must be able to take on the identity of the principal for a particular purpose. A proxiable ticket tells the Kerberos server that it can issue a new ticket to a different network address, based on the original ticket-granting ticket. With proxiable tickets, a password is not required.

realm

A set of users and servers for which a given Kerberos server is the authenticating authority.

realm trust

The Kerberos protocol either searches the configuration file, such as krb5.conf, to determine realm trust or by default looks for trust relationships within the realm hierarchy. Using Trusted realms in network authentication service allows you to bypass this process and creates a shortcut for authentication. Realm trust can be used in networks where realms are in different domains. For example, if a company has one realm at NY.MYCO.COM and another at LA.MYCO.COM, then you can establish trust between these two realms. If two realms trust each other, their associated Kerberos servers must share a key. Before creating a shortcut, set up the Kerberos servers to trust each other.

renewable tickets

In some cases, an application or a service might want to have tickets that are valid for an extended period of time. However, the extended time might allow someone to steal these credentials, which are valid until the ticket expires. Renewable tickets allow for applications to obtain tickets that are valid for extended periods. Renewable tickets contain two expiration times. The first expiration applies to the current instance of the ticket and the second time applies to the latest permissible expiration for the ticket.

service ticket

A ticket that authenticates a principal to a service.

ticket-granting service (TGS)

A service provided by the Kerberos server that issues service tickets.

ticket-granting ticket (TGT)

A ticket that allows access to the ticket-granting service on the Kerberos server. Ticket-granting tickets are passed to the principal by the Kerberos server after the principal has completed a successful request to the authentication server. In a Windows 2000 environment, when a user logs on to the network, the Kerberos server verifies the principal's name and encrypted password and then sends a ticket-granting ticket to the user. From a System i platform, users can request a ticket using the kinit command within the Qshell Interpreter in the character-based interface.

Parent topic: