What are Active Directory Kerberos Tickets? examples
Kerberos tickets are used in Microsoft Active Directory to authenticate user and service accounts. They are encrypted tickets that contain a user’s identity and authentication information, as well as a session key that is used to encrypt and decrypt subsequent communication between the user and service.
There are several types of Kerberos tickets, including:
- Ticket Granting Ticket (TGT): This is the initial ticket that is issued by the Kerberos authentication server (AS) in response to a user’s request for authentication. The TGT contains the user’s identity and a session key that is used to encrypt and decrypt communication with the ticket-granting service (TGS).
- Service Ticket (ST): This ticket is issued by the TGS in response to a user’s request for access to a specific service. The ST contains the user’s identity, the name of the requested service, and a session key that is used to encrypt and decrypt communication with the service.
- Proxy Ticket: This is a type of ST that is issued by the TGS to allow a user to access a service on behalf of another user.
- Renewal Ticket: This is a type of TGT that is issued by the TGS to allow a user to renew their TGT without having to re-enter their credentials.
Here’s an example of a Kerberos ticket structure:
yaml
Ticket {
Ticket Version: 5
Server Realm: EXAMPLE.COM
Server Name: host/service.example.com@EXAMPLE.COM
Client Name: user@example.com
Start Time: 2022-03-01T00:00:00Z
End Time: 2022-03-01T23:59:59Z
Renew Till: 2022-03-02T23:59:59Z
Session Key: {AES256 Encryption Key}
Flags: {various flags indicating ticket type and options}
Authorization Data: {additional data used for authorization purposes}
}
What is klist?
klist
is a command-line utility that is used to manage Kerberos tickets on Windows operating systems. It can be used to view, renew, or purge Kerberos tickets from a user’s ticket cache. The klist
command can be run from the Command Prompt or Windows PowerShell.
Some common examples of klist
commands are:
klist
: This command displays the current Kerberos tickets in the user’s ticket cache.klist purge
: This command purges all Kerberos tickets from the user’s ticket cache.klist renew
: This command renews all renewable Kerberos tickets in the user’s ticket cache.klist tgt
: This command displays the Kerberos Ticket Granting Ticket (TGT) that the user is currently using.