Kerberos - TGT

surfthegecko

Hi,

Can anybody out there provide links or explanations on the Kerberos topic, particularly on the subject of Ticket Granting Tickets.

I have been watching the CBT NUgget Video and read a chapter on this, but it just seems to read "blah, blah, blah, blah, blah"

I just cant seem to focus at all on this topic with the material I have.

Any concise explanations, or well read web articles will be greatly received.

THanks

surfthegecko

I have spent a bit longer and think I might have cracked it using a few extra web resources.

Can anybody confirm that I have this info correct:

Issuing A TGT (Ticket Granting Ticket)
This acts as the Master Ticket, and is created so domain passwords do not need to be sent back and forth.

-Computer and users logon
-Client computer sends a hashed version of the password (sometimes including the local time) to the DC/KDC

-DC decrypts with a local copy of the hash
-DC then checks that the local time encrypted is no longer than 5 minutes later
-DC then pre-authenticates the package, and then continues to authenticate the rest of the Kerberos transaction proceeds

-DC then generates a PAC (Privilege Access Certificate) containing their access, sid, logon hours, access restrictions etc
-This is then packaged into a TGT and passed back to the client to decrypt

Issuing A ST (Session Ticket)
This ticket is only valid for a limited time and for a particular purpose. This is issued off the back of the TGT.

-Client computer sends its TGT to the TGS/KDC/DC and requests a Session/Service Ticket
-TGS/KDC/DC then sends a Session/Service Ticket to the client
-Client computer sends the ST to a Validating Server (eg File Server)
-Validating Server authenticates the ST
-Client/Server Session is then established