Kerberos Tickets

There are two types of tickets in a Kerberos security system: ticket-granting tickets and service tickets. To gain access to a kerberized application, you must first obtain a ticket-granting ticket (TGT).

Ticket-Granting Tickets

When a user requests access to a service that requires Kerberos authentication, the KDC generates a TGT that consists of the user's principal name, the ticket expiration time, and a unique session key, all encrypted with the master key for the KDC. The KDC returns this TGT to the Kerberos client with a copy of the unique session key that is encrypted with a key derived from the user's password. If the Kerberos client can decrypt the session key (proving that the user knows the password), it can use the session key and TGT to obtain a service ticket.

After you've been granted a valid TGT, the Kerberos client obtains service tickets for this principal each time you request access to a kerberized application, throughout the lifetime of the ticket-granting ticket. As long as the TGT is valid, you can log in to kerberized applications as often as necessary without having to obtain another TGT.

A renewable ticket is a special TGT with a flag set indicating that it can be renewed. When a TGT is about to expire, the user can request that it be renewed. If the TGT is renewable, the KDC sends the Kerberos client a new TGT that is valid for the period of time specified in the Kerberos tab of the Security Properties dialog box. The maximum lifetime and number of renewals are set by the system administrator of the KDC.

A forwardable ticket is a TGT that you can forward to another host and get service tickets for additional services without having to repeat the authentication process with the KDC. Tickets that have been forwarded once may be forwarded again.

Service Tickets

To gain access to a service that requires Kerberos authentication, the client application must present a valid service ticket. When the Kerberos client sends a service ticket request along with a valid TGT, the KDC issues a service ticket that consists of the user's principal name, a new session key for the workstation, and the service to use for this session, all encrypted with the service's master key. The KDC returns the service ticket to the Kerberos client with the name of the requested service and a copy of the new session key, which it encrypts with the original TGT session key.

The Kerberos client uses the original session key to decrypt the message, and extract the service ticket and key that it will use to establish a session with the service.

A service ticket usually remains valid for the life of the TGT. A new service ticket is required to log in to a different host, and may be required when requesting a different service on the same host.