Kerberos Tickets

Kerberos authentication relies on two types of tickets to provide secure and efficient network access: the Ticket-Granting Ticket (TGT) and the Service Ticket. This two-ticket system addresses both initial user authentication and subsequent access to various network services, as explained in resources like The Moron's Guide to Kerberos.

Ticket-Granting Ticket (TGT)

The TGT is the first ticket a client obtains from the Authentication Server (AS) after successfully proving its identity, usually with a password. Its primary purpose is to allow the client to request additional Service Tickets from the Ticket-Granting Service (TGS) without re-sending their password or performing a full re-authentication for every new service they wish to access. The TGT is encrypted with the TGS's secret key, ensuring only the TGS can decrypt and validate it.

Service Ticket

Once a client possesses a valid TGT, they can present it to the TGS to request a Service Ticket for a specific application server or service (e.g., a file server or an email server). This Service Ticket is then presented directly to the target application server to authenticate the client for that particular service. The Service Ticket is encrypted with the target service's secret key, which only that specific server can decrypt.

Why Two Tickets Are Necessary

Using only one ticket would introduce significant security and efficiency problems, as detailed in texts such as Guide to Computer Network Security.

• If only a Service Ticket were used directly for all services, the client would need to re-authenticate with the AS every time they wanted to access a different service. This would involve repeatedly sending the user's credentials, increasing network traffic and presenting more opportunities for credential interception. It would also place an undue burden on the Authentication Server.
• If only a TGT were used to access all services, it would become a "master key" that grants access to any service once obtained. If this single TGT were compromised, an attacker would gain access to all services the user is authorized to use, violating the principle of least privilege. The TGT's purpose is specifically to authenticate to the TGS, not directly to application services.

The separation into a TGT and Service Ticket provides a balance: the TGT minimizes the need for repeated password-based authentication by acting as a temporary credential to obtain other tickets, while the Service Ticket provides fine-grained access control to specific services. This design enhances both security and operational efficiency, as described by resources like General Information on Kerberos.