Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Differences between TGT and Service Tickets

943 views
Skip to first unread message

Tadoori (EXT), Vilas

unread,
Dec 10, 2009, 8:19:59 AM12/10/09
to kerb...@mit.edu
Hello All,

I am new to the Kerberos field and would like to know the basic differences between a TGT and a Service Ticket and it would be great if anyone can provide an example on this.


Thanks
Vilas

Hans van Zijst

unread,
Dec 10, 2009, 8:33:36 AM12/10/09
to
Hi Vilas,

A service ticket is a ticket you need to access a specific service. For
normal services, you get your ticket at the KDC and use it to access the
service.

But... Requesting that ticket is also accessing a service: the key
distributing service at the KDC. For that service, you also need a
ticket: the TGT. The name TGT in fact says it all: it's the ticket that
will grant you other tickets.

While acquiring the TGT, your password is checked by the AS. For service
tickets, only the content of your ticket is checked against the KDC by
the service, no further authentication from your side is necessary once
the AS has established your identity and granted you the TGT.

Kind regards,

Hans

Ken Raeburn

unread,
Dec 10, 2009, 12:17:56 PM12/10/09
to Tadoori (EXT), Vilas, kerb...@mit.edu
On Dec 10, 2009, at 08:19, Tadoori (EXT), Vilas wrote:
> Hello All,
>
> I am new to the Kerberos field and would like to know the basic
> differences between a TGT and a Service Ticket and it would be great
> if anyone can provide an example on this.

The fundamental difference is that the TGT is a ticket for a very
specific service, the Ticket Granting Service. We usually use
"service ticket" for services other than the TGS, but the TGS is a
service as well, in the general sense. While other services may let
you read email or log in or print files, the TGS is more integrated
with Kerberos and lets you acquire additional tickets for most
services (except, for example, the password-changing service) without
using your password every time.

In the initial ticket exchange, Kerberos lets you get a ticket for any
service in the realm; the TGS is the usual one, but it doesn't have to
be the one you ask for. You could instead ask for an initial ticket
for a print service or an IMAP service. But if you want to use a
second service, you need to go back to the Authentication Service and
get another "initial" ticket that you'll need your password to decrypt
(unless you're using PKINIT).

Ken

0 new messages