Kerberos - ticket-granting ticket (TGT)

> Software Security > (Authentication|Access control|Identification) - AuthN > Kerberos

1 - About

A ticket-granting ticket (TGT) is the first ticket obtained in a kerberos system. It's a special ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm.

Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity.

The TGT, which expires at a specified time, permits the client to obtain additional tickets, which give permission for specific services. The requesting and granting of these additional tickets is user-transparent.

Holding a valid TGT allows the principal to request a Service ticket.

Advertising

3 - Analogy

A good analogy for the ticket-granting ticket is a three-day ski pass that is good at four different resorts. You show the pass at whichever resort you decide to go to (until it expires), and you receive a lift ticket for that resort. Once you have the lift ticket, you can ski all you want at that resort. If you go to another resort the next day, you once again show your pass, and you get an additional lift ticket for the new resort. The difference is that the Kerberos V5 programs notice that you have the weekend ski pass, and get the lift ticket for you, so you don't have to perform the transactions yourself.

4 - krbtgt

krbtgt means Kerberos TGT and describes the authentication service.

See also klist where you can see it.

5 - Domain

There will be a TGT in the Credentials Cache for each domain the principal has accessed resources in.

An example of this would be: a user in contoso.com domain wanted access to a file server in emea.contoso.com the user would have a TGT for:

  • contoso.com,
  • and emea.contoso.com

6 - List

As every ticket, you can list it

For instance, with the Windows MIT ticket manager utility

where the first word describes the authentication service.

  • krbtgt means Kerberos TGT
  • hive means the hive database
Advertising

7 - Documentation / Reference

security/auth/kerberos/tgt.txt · Last modified: 2019/04/26 21:02 by 108.162.245.140