Kerberos - TGT


Can anybody out there provide links or explanations on the Kerberos topic, particularly on the subject of Ticket Granting Tickets.

I have been watching the CBT NUgget Video and read a chapter on this, but it just seems to read "blah, blah, blah, blah, blah" :)

I just cant seem to focus at all on this topic with the material I have.

Any concise explanations, or well read web articles will be greatly received.



  • Options
    surfthegeckosurfthegecko Member Posts: 149
    I have spent a bit longer and think I might have cracked it using a few extra web resources.

    Can anybody confirm that I have this info correct:

    Issuing A TGT (Ticket Granting Ticket)
    This acts as the Master Ticket, and is created so domain passwords do not need to be sent back and forth.

    -Computer and users logon
    -Client computer sends a hashed version of the password (sometimes including the local time) to the DC/KDC

    -DC decrypts with a local copy of the hash
    -DC then checks that the local time encrypted is no longer than 5 minutes later
    -DC then pre-authenticates the package, and then continues to authenticate the rest of the Kerberos transaction proceeds

    -DC then generates a PAC (Privilege Access Certificate) containing their access, sid, logon hours, access restrictions etc
    -This is then packaged into a TGT and passed back to the client to decrypt

    Issuing A ST (Session Ticket)
    This ticket is only valid for a limited time and for a particular purpose. This is issued off the back of the TGT.

    -Client computer sends its TGT to the TGS/KDC/DC and requests a Session/Service Ticket
    -TGS/KDC/DC then sends a Session/Service Ticket to the client
    -Client computer sends the ST to a Validating Server (eg File Server)
    -Validating Server authenticates the ST
    -Client/Server Session is then established
Sign In or Register to comment.