Kerberos - ticket-granting ticket (TGT)

About

A ticket-granting ticket (TGT) is the first ticket obtained in a kerberos system. It's a special ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm.

Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity.

The TGT, which expires at a specified time, permits the client to obtain additional tickets, which give permission for specific services. The requesting and granting of these additional tickets is user-transparent.

Holding a valid TGT allows the principal to request a Service ticket.

Analogy

A good analogy for the ticket-granting ticket is a three-day ski pass that is good at four different resorts. You show the pass at whichever resort you decide to go to (until it expires), and you receive a lift ticket for that resort. Once you have the lift ticket, you can ski all you want at that resort. If you go to another resort the next day, you once again show your pass, and you get an additional lift ticket for the new resort. The difference is that the Kerberos V5 programs notice that you have the weekend ski pass, and get the lift ticket for you, so you don't have to perform the transactions yourself.

krbtgt

krbtgt means Kerberos TGT and describes the authentication service.

See also klist where you can see it.

Domain

There will be a TGT in the Credentials Cache for each domain the principal has accessed resources in.

An example of this would be: a user in contoso.com domain wanted access to a file server in emea.contoso.com the user would have a TGT for:

  • contoso.com,
  • and emea.contoso.com

List

As every ticket, you can list it

For instance, with the Windows MIT ticket manager utility

Mit Kerberos Ticket Manager

where the first word describes the authentication service.

  • krbtgt means Kerberos TGT
  • hive means the hive database

Documentation / Reference





Discover More
Kerberos Ticket Manager Ticket Get
Kerberos - (Ticket|Credentials)

Kerberos credentials, or “tickets” are the credentials in Kerberos. There are only two different types for tickets that the KDC issues. Ticket Granting Ticket (TGT). The first ticket obtained is...
Kerberos - Authentication Server (AS)

in Kerberos The KDC (role|component) that verifies the identity of the principal and issues the Ticket Granting Ticket (TGT) to the principal upon successful authentication.
Kerberos - Encryption type

encryption in Kerberos Encryption is used for both the ticket-granting-ticket and session tickets. There are three components: the client, the KDC, and the server. Each one may support a...
Kerberos - Key Distribution Center (KDC)

Key Distribution Center. A machine that issues Kerberos tickets. The KDC is a service that should only be running on a domain controller. The service name is “Kerberos Key Distribution Center”. Basically...
Kerberos - Principal (Account)

A Kerberos principal is a unique identity to which Kerberos can assign tickets. Kerberos defines two different types of accounts (or Principals): User Principal Name (UPN), and Service Principal...
Kerberos - Service

Any program or computer you access over a network. Examples of services include: “host”: a host, e.g., when you use the kerberos application (telnet, rsh), “ftp”: FTP, “http”:...
Kerberos - Ticket Granting Server (TGS)

TGS is a KDC component that issues a service ticket when a principal requests connection to a Kerberos service. You must first have a Ticket Granting Ticket (TGT) for the (Active Directory) domain before...
Kerberos Ticketing Process
Kerberos - Ticketing Process

Kerberos ticketing process between: the the the Under Kerberos, a client sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT)...
Kerberos - kinit

kinit is an utility that permits to obtain and cache Kerberos ticket-granting tickets. You can then verify that the Kerberos configuration is good and that the authentication is working. kinit...
Kerberos - klist

The klist utility display the entries (tickets,..) in the local credentials cache and key table. With MIT kerberos where: ...



Share this page:
Follow us:
Task Runner