Kerberos uses authentication tickets to prove identity and permissions between client and server. There are two types of tickets: TGTs and session tickets. A key distribution center (KDC) manages the ticketing system, granting TGTs and session tickets. The system is encrypted, but if the KDC is compromised, all users’ identities and passwords are at risk.
An authentication ticket is a security component of the Kerberos network security protocol. It works like a kind of token, a small collection of data, passed between a client computer and a server, so the two computers can prove identity to each other. In addition to this mutual identification of the network, the ticket also indicates the permissions that the client has to access the server and its services, as well as the time allotted to the session.
There are essentially two types of authentication tickets. A ticket granting ticket (TGT), also known as a ticket to obtain tickets, is the primary ticket issued when the client computer first establishes its identity. This type of ticket usually has an extended duration, up to 10 or more hours, and can be renewed at any time during the time the user is connected to the network. With a TGT, the user can then request individual authentication tickets to access other servers on the network.
A client-to-server ticket, also known as a session ticket, is the second form of authentication ticket. This is typically a short-lived ticket that is handed out when a client wants to access a service on a particular server. The session ticket contains the client computer’s network address, user information, and a ticket validity period. In some Kerberos implementations, such as Microsoft® Active Directory®, a third type of ticket, called a reference ticket, can also be used. This type of ticket is granted when a client wants to access a server that resides on a separate domain from its own.
The way the Kerberos ticketing system works is through the use of a separate server, known as a key distribution center (KDC), which supplies the entire authentication ticketing system. This machine has two sub-components running, the first of which is known as the Authentication Server (AS). The AS knows all the other computers and users on the network and maintains a database of their passwords. When a user logs on to the network, the AS grants him a TGT.
When a user needs to access a server somewhere on the network, he uses the TGT provided above and requests a service ticket from the second part of the KDC, called a ticket granting server (TGS). The TGS returns a session ticket to the user, who can then use it to access the requested server. When the server receives the session ticket, it sends another message to the user verifying his identity and that the user is authorized to access the requested service. In the case of a referral ticket, an additional step is required where the root domain KDC instead creates a referral ticket that allows the client to request session tickets from another KDC on a different network domain. The entire ticket generation and sharing process is encrypted every step of the way to protect against an attacker intercepting or masquerading as a user.
The main disadvantage of the authentication ticket method is the centralized structure of all authorizations. If an attacker gains access to the KDC, she essentially gains access to all users’ identities and passwords and can therefore impersonate anyone. Also, if the KDC weren’t available, no one would be able to use the network. Another problem is detailed ticket lifecycles, which require all computers on the network to have their clocks synchronized.
Protect your devices with Threat Protection by NordVPN