| Title: 1.1.4 - KDC (Key Distribution Center) |
| NavPrev: 1.1.3-keys.html |
| NavPrevText: 1.1.3 - Keys |
| NavUp: 1.1-introduction.html |
| NavUpText: 1.1 - Introduction |
| NavNext: 1.1.5-database.html |
| NavNextText: 1.1.5 - Database |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 1.1.4 - KDC (Key Distribution Center) |
| |
| The **KDC** contains three components : |
| * an Authentication Service |
| * a Ticket Granting Service |
| * a database (ApacheDS) |
| |
| The **KDC** role is to authenticate users and distribute tickets based on the information stored in its database. |
| |
| The **Apache Kerberos Server** contains all these three components and hence is a **KDC**. |
| |
| <DIV class="info" markdown="1"> |
| We could allow the **Kerberos Server** to manage more than one **KDC**, but this is not currently possible. |
| </DIV> |
| |
| The **KDC** is associated with a **Realm**. |
| |
| The following schema expose the way the **KDC** works : |
| |
| <DIV align="center"> |
| <img alt="KDC usage" src="images/kerberos-auth.png"> |
| </DIV> |
| |
| In order to use a service, the client needs to get a ticket for this service from the **KDC**. This requires a two step process, where the client first authenticates himself, and then get back a ticket to use with the targeted server. |
| |
| Though the Autehntication and Ticket Granting services look like running in separate servers, a signle Kerberos server implementation oftent contains both. |