The sequence of Kerberos Authentication.

Document ID : KB000014920
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How does it work CA SSO kerberos authentication ?

Answer:

1.  The user signs into their workstation with their Windows logon 

2.  Windows sends a Kerberos authentication request (AS_REQ) to the domain controller 

3.  The domain controller returns a Kerberos authentication response (AS_REP) containing a ticket granting ticket (TGT) 

4.  Windows populates the LSA (Local Security Authority) credential cache with the TGT 

5.  The user opens their browser and sends HTTP request to a URL protected by the SiteMinder Kerberos authentication scheme 

6.  WebAgent send IsProtected() call to Policy Server

7. Policy Server response back to IsProtected() call from WebAgent with realm and authentication scheme URL.

8. The Web Agent redirects the browser to the Authentication Scheme URL (Kerberos credentials collector (KCC))

9. The browser follows the redirect, requesting the KCC 

10.     The KCC responds to the user with an HTTP Negotiate challenge 

11.     The browser retrieves the TGT from the LSA cache 

12.     The browser creates a security token derived from the TGT, and sends a base-64 encoded copy of it to the KCC 

13.     The KCC initializes the Kerberos credential cache with the web server principal's credentials 

14.     The KCC retrieves the security token sent by the browser 

15.     The KCC accepts the security token via GSSAPI 

16.   Web Agent read krb5.ini file

17.     GSSAPI retrieves the web server principal’s credentials from keytab file

18.     GSSAPI returns the user principal's delegated credentials 

19.     The KCC initializes a delegated security token via GSSAPI on behalf of the delegated credentials 

20.     GSSAPI retrieves the web server principal’s credentials 

21.     GSSAPI requests a forwarded TGT on behalf of the delegated credentials 

22.     The KDC returns the new forwarded TGT 

24.     GSSAPI returns a delegated security token 

25.     GSSAPI returns the delegated user’s principal name 

26.     The KCC prepares SiteMinder user credentials setting the username to the user principal and the password to the delegated security token 

27.     The Web Agent sends a login request using the SiteMinder user credentials via the SiteMinder Agent API 

28.     The Policy Server receives the login request and calls the authentication scheme to disambiguate the user 

29.     The authentication scheme constructs a directory search query based upon the user principal and returns the query to the Policy Server 

30.     The Policy Server disambiguates the user using the directory search query 

31.     The Policy Server passes the SiteMinder credentials to the authentication scheme for authentication 

32.     The authentication scheme initializes the Kerberos credential cache with the Policy Server's principal's credentials 

33.     The authentication scheme accepts the delegated security token via GSSAPI 

34.  Policy Server read krb5.ini file

35.     GSSAPI retrieves the Policy Server principal’s credentials from keytab file

36.     GSSAPI returns the accepted security context 

37.     The authentication scheme queries the delegated security token for its principal 

38.     The authentication scheme verifies the delegated security token's principal matches the intended principal

39.   WebAgent generate SMSESSION cookie.

40.   Client redirect to target resource with SMSESSION cookie.

41.   WebAgent send IsAuthorized() call to Policy Server.

42. Policy Server send back to WebAgent for IsAuthorized()  call.

43. Display content page successfully.