AP-REP: Application Reply (Service to User)
Service grants access
- Service decrypts service ticket to get service session key
- Service decrypts user authenticator with service session key
- Service validates the messages in the same fashion as TGS with TGT
- Username, Timestamp, IP addresses, Lifetime/expiry
- Checks the service name matches its own
- Checks its own Service Cache for the same user authenticator to prevent replay attacks
- Checks if user has access to service
- Service adds the user authenticator to the service cache
- Message 1 to client: Service Authenticator; encrypted with Service Session Key
- Service name/ID
- Timestamp
- Once the client decrypts the service authenticator and verifies the service name and timestamp, the mutual authentication process is complete. The client caches the Service Ticket in the User Cache for future use.