Kerberos: Separating AS and TGS

In Kerberos, the Authentication Server (AS) and the Ticket Granting Server (TGS) are generally implemented on the same server. This machine is called the Key Distribution Center (KDC).

Surely, it makes sense to implement these services on the same physical machine, as in small and medium-sized networks it would be overkill to separate these two services. Additionally, I have a relatively reliable source, which says (translated):

TGS and AS have to access the same DB => it doesn't make much sense to implement TGS and AS on different machines

However I don't see which database has to be shared between the two.

This is my idea, how I would separate AS and TGS, there are no shared databases:

  • As AS and TGS are separated, they have a different Master Secret
  • The AS has a database with all users with their respective master secret (used when the User signs in, to encrypt the session key), as well as the master secret of the TGS (to encrypt requested TGTs).
  • The TGS has a database, which allows it to determine which user is allowed to use which service (ACL, revocation list, ...), as well as a database with all services with their respective master secrets (to encrypt Tickets).

When a user wants to use a service (simplified):

  • Authenticate at the AS
  • Get a Ticket Granting Ticket (TGT), encrypted with the TGS Master Secret, as well as the session key, encrypted with the user's master secret.
  • Contact the TGS with the TGT
  • Get a Ticket, encrypted with the Service's Master Secret
  • Contact the Service with the Ticket

Am I missing something, or is there really no problem at all separating the AS and the TGS?


Your question is all theory. So I'll answer in kind. The AS and the TGS are logical servers, and as such they could theoretically be separated. But in practice there has been no good reason to implement them on separate machines, and so no one does that in real life. Even the largest, busiest networks in the world in terms of Kerberos authentication have no need to separate out the logical components of the KDCs. In real-life implementations of Kerberos, all the data that the AS needs and all the data that the TGS needs is all stored in the same database. It could theoretically be separated but there is just no good reason to do so and would do nothing but needlessly complicate the implementation.