Ticket Granting Tickets (TGT)

In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain.

Use of the TGT was designed into the Kerberos protocol to avoid having to frequently ask the user for a password – password used by Kerberos to derive a master key – or having to store the master key on the workstation.

Frequently Asked Questions
What is Kinit?

The kinit command prompts the user for his password, fetches from the KDC an initial ticket-granting ticket for a user, and caches it.

What is a ticket granting session key?

In Kerberos, a session key is a temporary key used for a single logon session instead of repeatedly requesting the user to provide a password from which to derive his master key. When a user logs on, the user requests a ticket for the Key Distribution Center (KDC). The KDC responds by creating a logon session key and a ticket for the Ticket Granting Service (TGS). One copy of the logon session key is embedded in the ticket, and the ticket is encrypted with the KDC’s master key. Another copy of the logon session key is encrypted with the user’s master key derived from the user’s logon password. Both the ticket and the encrypted session key are sent to the client.

When the client gets the KDC’s reply, it decrypts the logon session key with the user’s master key derived from the user’s password. The client no longer needs the key derived from the user’s password because the client will now use the logon session key to decrypt its copy of any server session key it gets from the KDC. The client stores the logon session key in its ticket cache along with its ticket for the TGS.

What is a ticket in a network?

A ticket is a form of authentication and authorization token.

What is TGT Kerberos?

In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain.

Why do we need a ticketing system?

A ticketing system is essentially an access control system that requires users to authenticate and authorization to be vetted before tickets – otherwise known as access tokens – are provided.

How does Kerberos utilize ticket granting tickets?

In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) to be used to request from the Ticket Granting Service (TGS) access tokens for specific resources/systems joined to the domain.

How is golden ticket connected to TGT?

A Golden Ticket attack is when an attacker has complete and unrestricted access to an entire domain – all computers, files, folders, and most importantly the access control system itself.

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service. The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain. And with valid TGTs, the attacker can request from the Ticket Granting Service (TGS) access to any resource/system on its domain.

Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.