content/apacheds/kerberos-ug/1.1.4-kdc.mdtext - directory-site - Git at Google

 Title: 1.1.4 - KDC (Key Distribution Center)
 NavPrev: 1.1.3-keys.html
 NavPrevText: 1.1.3 - Keys
 NavUp: 1.1-introduction.html
 NavUpText: 1.1 - Introduction
 NavNext: 1.1.5-database.html
 NavNextText: 1.1.5 - Database
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 1.1.4 - KDC (Key Distribution Center)

 The **KDC** contains three components :
 * an Authentication Service
 * a Ticket Granting Service
 * a database (ApacheDS)

 The **KDC** role is to authenticate users and distribute tickets based on the information stored in its database.

 The **Apache Kerberos Server** contains all these three components and hence is a **KDC**.

 <DIV class="info" markdown="1">
 We could allow the **Kerberos Server** to manage more than one **KDC**, but this is not currently possible.
 </DIV>

 The **KDC** is associated with a **Realm**.

 The following schema expose the way the **KDC** works :

 <DIV align="center">
   <img alt="KDC usage" src="images/kerberos-auth.png">
 </DIV>

 In order to use a service, the client needs to get a ticket for this service from the **KDC**. This requires a two step process, where the client first authenticates himself, and then get back a ticket to use with the targeted server.

 Though the Autehntication and Ticket Granting services look like running in separate servers, a signle Kerberos server implementation oftent contains both.
	Title: 1.1.4 - KDC (Key Distribution Center)
	NavPrev: 1.1.3-keys.html
	NavPrevText: 1.1.3 - Keys
	NavUp: 1.1-introduction.html
	NavUpText: 1.1 - Introduction
	NavNext: 1.1.5-database.html
	NavNextText: 1.1.5 - Database
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 1.1.4 - KDC (Key Distribution Center)

	The KDC contains three components :
	* an Authentication Service
	* a Ticket Granting Service
	* a database (ApacheDS)

	The KDC role is to authenticate users and distribute tickets based on the information stored in its database.

	The Apache Kerberos Server contains all these three components and hence is a KDC.

	<DIV class="info" markdown="1">
	We could allow the Kerberos Server to manage more than one KDC, but this is not currently possible.
	</DIV>

	The KDC is associated with a Realm.

	The following schema expose the way the KDC works :

	<DIV align="center">
	<img alt="KDC usage" src="images/kerberos-auth.png">
	</DIV>

	In order to use a service, the client needs to get a ticket for this service from the KDC. This requires a two step process, where the client first authenticates himself, and then get back a ticket to use with the targeted server.

	Though the Autehntication and Ticket Granting services look like running in separate servers, a signle Kerberos server implementation oftent contains both.