AS-REQ: Authentication Server Request (User to KDC)

user requests TGT from KDC with encrypted timestamp (pre-authentication)

  • Message 1 to AS; cleartext
    • Username / ID
    • Service name / ID
    • User IP
    • Requested lifetime for TGT (might be ignored based on policy)
  • Message 2 to AS: timestamp; encrypted with client password-derived key
    • Kerberos requires the user to submit a timestamp for pre-authentication
    • This feature is enabled by default