Posted in Azure Windows Server Hybrid Administrator, MCSA Windows Server 2016, Microsoft, MS Cyber Security Architect Expert, MS Windows Server, Security

What are Active Directory Kerberos Tickets?

   March 4, 2023

What are Active Directory Kerberos Tickets? examples

Kerberos tickets are used in Microsoft Active Directory to authenticate user and service accounts. They are encrypted tickets that contain a user’s identity and authentication information, as well as a session key that is used to encrypt and decrypt subsequent communication between the user and service.

There are several types of Kerberos tickets, including:

  1. Ticket Granting Ticket (TGT): This is the initial ticket that is issued by the Kerberos authentication server (AS) in response to a user’s request for authentication. The TGT contains the user’s identity and a session key that is used to encrypt and decrypt communication with the ticket-granting service (TGS).
  2. Service Ticket (ST): This ticket is issued by the TGS in response to a user’s request for access to a specific service. The ST contains the user’s identity, the name of the requested service, and a session key that is used to encrypt and decrypt communication with the service.
  3. Proxy Ticket: This is a type of ST that is issued by the TGS to allow a user to access a service on behalf of another user.
  4. Renewal Ticket: This is a type of TGT that is issued by the TGS to allow a user to renew their TGT without having to re-enter their credentials.

Here’s an example of a Kerberos ticket structure:

yaml
Ticket {
    Ticket Version: 5
    Server Realm: EXAMPLE.COM
    Server Name: host/service.example.com@EXAMPLE.COM
    Client Name: user@example.com
    Start Time: 2022-03-01T00:00:00Z
    End Time: 2022-03-01T23:59:59Z
    Renew Till: 2022-03-02T23:59:59Z
    Session Key: {AES256 Encryption Key}
    Flags: {various flags indicating ticket type and options}
    Authorization Data: {additional data used for authorization purposes}
}

What is klist?

klist is a command-line utility that is used to manage Kerberos tickets on Windows operating systems. It can be used to view, renew, or purge Kerberos tickets from a user’s ticket cache. The klist command can be run from the Command Prompt or Windows PowerShell.

Some common examples of klist commands are:

  • klist: This command displays the current Kerberos tickets in the user’s ticket cache.
  • klist purge: This command purges all Kerberos tickets from the user’s ticket cache.
  • klist renew: This command renews all renewable Kerberos tickets in the user’s ticket cache.
  • klist tgt: This command displays the Kerberos Ticket Granting Ticket (TGT) that the user is currently using.
Share: TwitterFacebookPinterestLinkedin
Author: tonyhughes