4.1 Requesting a Service Ticket
The following diagram demonstrates use of the RDPEAR protocol in requesting a service ticket over RDP.

Figure 1: Sequence diagram for requesting a service ticket over RDP using RDPEAR
|
Message Group |
Description |
References |
|---|---|---|
|
Establish |
Establish the initial RDP connection using CredSSP. The TGT and its associated encrypted session key are transmitted in a KERB_TICKET_LOGON structure. |
|
|
Prepare TGS_REQ |
Prepare a service ticket request for processing by the domain controller. |
[MS-RDPEAR] section 3.1.5.8 [MS-RDPEAR] section 3.1.5.7 [MS-RDPEAR] section 3.1.5.4 |
|
TSG_REQ Exchange |
Request the service ticket from the KDC. |
[MS-KILE] |
|
Decrypt & validate service ticket |
Decrypt the service ticket reply from the KDC using the encrypted session key that was initially sent to the RDP server in message (2). |
[MS-RDPEAR] section 3.1.5.6 |
The following steps describe how this protocol is used in requesting a service ticket:
A CredSSP client connects to a RDP server.
The TGT for the authenticated user is sent to the server along with an encrypted TGT session key, inside of a KERB_TICKET_LOGON structure [MS-CSSP].
The RDP session is established and the TGT sent in step 2 is ready for use.
The RDP server requests authentication data for the target service.
The RDP client replies with the requested authentication data.
The RDP server requests that the client calculate an HMAC over the TGS_REQ [RFC4120], which will be sent to the domain controller.
The RDP client replies with the requested HMAC value.
The RDP server requests an authenticator to insert into the TGS_REQ padata [RFC4120].
The RDP client replies with the requested authenticator value.
The RDP server requests a service ticket from the KDC.
The KDC replies with the service ticket. This reply is partially encrypted.
The RDP server requests that the TGS_REP be decrypted and validated.
The RDP client replies with the decrypted data, including the session key.