Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
551552553554555556557558559560
Authentication
23.3.2 Intercell Authentication by Trust Peers
This section explains how a client principal in one cell is authenticated by an
Authentication Service in a peer cell so that the client principal may communicate
with another principal that is a member of the foreign cell.
1. A client principal, having already been authenticated by its Authentication
Service and having acquired its PAC, requests a service from a foreign cell. The
client specifies the server principal that provides the service by its fully
qualified name, which identifies the foreign cell as well as the cell-relative
server principal name.
2. Recognizing by its name that the server principal is foreign, the client’s Security
runtime makes a request to the local Authentication service for a TGT to the
Authentication service of the foreign cell of which the server principal is a
member. The request for the foreign TGT (FTGT) proceeds like a ticket-
granting request for any other target principal. The local Authentication Service
constructs the ticket, preserving PAC data from client’s existing PTGT, and
encrypts it using the secret key that the two Authentication surrogates share.
3. Upon receiving the request for the FTGT, the foreign Authentication Service
decrypts it using the surrogates secret key, and returns a ticket to the foreign
Privilege Service to the clients Security runtime.
4. The client’s Security runtime uses the ticket to the foreign Privilege Service to
obtain a Foreign Privilege-Ticket-Granting Ticket (FPTGT). The FPTGT is
simply the client’s original PAC encrypted with the key of the foreign Privilege
Service.
5. After the client principal receives the FPTGT, it requests a ticket to the foreign
server principal from the foreign Authentication Service, exactly as it would
request a ticket to a local principal from its own Authentication Service. The
client principal may also reuse the FPTGT to the foreign cell to acquire tickets
to any other principals in that cell.
124245 Tandem Computers Incorporated 2327