1.1.4 - KDC (Key Distribution Center)

The KDC contains three components :

  • an Authentication Service
  • a Ticket Granting Service
  • a database (ApacheDS)

The KDC role is to authenticate users and distribute tickets based on the information stored in its database.

The Apache Kerberos Server contains all these three components and hence is a KDC.

We could allow the **Kerberos Server** to manage more than one **KDC**, but this is not currently possible.

The KDC is associated with a Realm.

The following schema expose the way the KDC works :

KDC usage

In order to use a service, the client needs to get a ticket for this service from the KDC. This requires a two step process, where the client first authenticates himself, and then get back a ticket to use with the targeted server.

Though the Autehntication and Ticket Granting services look like running in separate servers, a signle Kerberos server implementation oftent contains both.