2.5.3.2.1 Interactive Domain Logon: Service Ticket for Client Computer

  • Article

The LSA initiates this use case with the goal of proving the identity of a user to the Authentication Authority (AA) and of getting a service ticket that contains user logon information from the AA for the client computer. The user provides the credential material information, which includes the identification and proof of that identification.

Goal: To get the service ticket for a client computer.

Context of Use: Applies when the user and computer accounts are in different domains and when the user interactively logs on to the domain.

Direct Actor: The LSA.

Primary Actor: The user.

Supporting Actors: AA1, AA2, Account DB #1, and Account DB #2. See similar diagram section 2.5.4.2.1.

Preconditions:

  • The client computer is joined to domain2.

  • The identity of the user is configured in Account DB #1.

  • Both domains exist in the same forest.

Minimal Guarantee: The LSA sends an error message to the user when the submitted credentials do not match the ones stored in the account databases or when the interactive domain logon process fails.

Success Guarantee: The LSA receives a service ticket for the client computer.

Trigger: The user attempts to log on interactively to the client computer.

Main Success Scenario:

  1. The identity of the user is proven to AA1 as described in section 2.5.5.1.

  2. The LSA requests a service ticket for the client computer by including a Kerberos authenticator and the TGT that was received in the preceding step in a Kerberos request and by sending it to AA1.

  3. AA1 cannot issue the service ticket for the client computer because it is joined to domain2 and only AA2 can do so; therefore, AA1 replies with a referral ticket for domain2, as described in [Referrals].

  4. On receiving the referral ticket, the LSA locates AA2 and sends a TGS request that includes the referral ticket.

  5. AA2 decrypts the referral ticket by using the inter-domain key that is shared between AA1 and AA2, detects that the referral ticket contains a request for a service ticket for the client computer, generates the service ticket, and returns it to the client computer.

Postcondition: The LSA has received a service ticket for the client computer, which contains user logon information.

Extensions: None.