Logging In

The process of authentication and authorization proceeds as follows (see Figure 11):

1. A user logs in by providing her user name to the DCE login utility. The user's identity is transmitted across the Authentication Service by the client process associated with the user.

2. The Authentication Service gets the user's password from the registry database maintained by the Registry Service.

3. The Authentication Service derives a secret key from the user's password and sends a ticket granting ticket (TGT), encrypted using the secret key, back to the client process associated with the user. The user then types the password, which is used as a key to decrypt the received TGT. If the decryption is successful, the user has typed the correct password and has thus proven her identity.

4. The client's login process next requests the Authorization Service to insert a principal authorization credential (PAC) into the TGT.

5. The Authorization Service verifies that the client has deciphered the TGT it received earlier and therefore trusts its identity. Certified credentials (that is, a PAC) for this client are then placed inside the TGT, and the TGT is encrypted again and sent back to the client.

Figure 11 Logging In