How does client browser know which KDC to send request to get ticket?

2
votes

Environment: SharePoint & Kerberos

Can someone explain how does client browser know which Key Distribution Center (KDC) to send request to get a Kerberos ticket in step 3:

  1. The user types in a URL in the Internet Explorer (e. g. http://intranet.domain.local)
  2. The client browser constructs the Service Principal Name (SPN), which contains a name of the host and the service type (SPN: http/intranet.domain.local – Service type: HTTP Name: intranet.domain.local)
  3. The client sends a request to the KDC to get a ticket for this SPN

Note that domain.local is not KDC server host name.

Thanks in advance, Frank

1
sharepointkerberos

1 Answers

1
votes

The algorithm goes pretty much like this:

  1. Fist the request is sent to which domain controller you client is communicating
  2. If request fails the client queries DNS for a service record (SRV) containing _kerberos._udp. DnsDomainName. See http://technet.microsoft.com/en-us/library/cc961719.aspx for more details.

If your DNS server is integrated into the Active Directory (AD) you pretty much will get them for free. If not you would have to set them up yourself.