Use Wireshark to trace Authentication Service Exchange and Ticket-Granting Service Exchange
You can use Wireshark to trace the Kerberos traffic between the Kerberos client and the Kerberos KDC (Windows Domain Controller). This traffic relates to the Kerberos Authentication Service Exchange (
AS-REP) and the Ticket-Granting Service Exchange (
TGS-REP) when the client requests the TGT and service ticket.
If you have the Kerberos client and Kerberos service running on separate machines, run Wireshark on the same machine as the Kerberos client.
- Start a Wireshark capture with the following filter:
ip.addr==<ip address of the Windows Domain Controller> and kerberos
ip.addr==10.0.7.78 and kerberos
- Restart API Gateway running the Kerberos client. If the Kerberos client is a 3rd party application, you most likely need to restart the application as well to ensure that a cached TGT and service ticket are not used.
- Send a message from the Kerberos client to the Kerberos service.
The Kerberos traffic is as follows:
AS-REP are generated at the startup of API Gateway, because this is when the TGT for the Kerberos client is requested from the KDC. The TGT is only re-requested when it expires, because the TGT is cached in API Gateway.
TGS-REP are created when the Kerberos client sends a message to the Kerberos service to request the service ticket for the Kerberos service. The
TGS-REQ is only sent from the Kerberos client on the first request, or when the service ticket has expired, because the service ticket is cached in API Gateway.
- The service ticket is encrypted with the secret key of the Kerberos service. To view the content decrypted, you must have the keytab of the Kerberos service imported in the Wireshark. See Use Wireshark to trace authentication between the client and service.