TGT and TGS Authentication Process

Vocabulary flashcards detailing the Kerberos authentication components (TGT, TGS, KDC) and their step-by-step role in accessing domain resources.

TGT

Ticket Granting Ticket; mainly used to prove the user's identity to the domain KDC and to request service tickets whenever the user wants to access a resource.

TGS

Service Ticket; issued by the KDC after a user presents a valid TGT, allowing the user to access a specific machine or service.

KDC

Key Distribution Center; the entity that verifies user credentials, issues TGTs, and checks TGT validity to issue service tickets.

PAC

Privilege Attribute Certificate; data contained within a service ticket that includes user identity (SID), group memberships, and privilege data.

Step 1: User Authentication

The process where a user enters a username and password, the KDC verifies credentials, and then issues a TGT stating the user is authenticated to the domain.

Step 2: Service Ticket Request

The client sends the TGT to the KDC to ask for a ticket for a specific service, such as $cifs/server.domain.local$, while the KDC checks if the TGT is valid and not expired.

Step 3: Service Access

The client sends the TGS to the target machine, which decrypts the ticket to verify the user's identity and privileges via the PAC.

SID

User identity information contained within a service ticket (TGS).

Resource Access Examples

Situations requiring a TGS include accessing a file server, another workstation, or services like SQL, HTTP, and LDAP.