We are independent & ad-supported. We may earn a commission for purchases made through our links.

Advertiser Disclosure

Our website is an independent, advertising-supported platform. We provide our content free of charge to our readers, and to keep it that way, we rely on revenue generated through advertisements and affiliate partnerships. This means that when you click on certain links on our site and make a purchase, we may earn a commission. Learn more.

How We Make Money

We sustain our operations through affiliate commissions and advertising. If you click on an affiliate link and make a purchase, we may receive a commission from the merchant at no additional cost to you. We also display advertisements on our website, which help generate revenue to support our work and keep our content free for readers. Our editorial team operates independently from our advertising and affiliate partnerships to ensure that our content remains unbiased and focused on providing you with the best information and recommendations based on thorough research and honest evaluations. To remain transparent, we’ve provided a list of our current affiliate partners here.

What is an Authentication Ticket?

By S.A. Keel
Updated May 16, 2024
Our promise to you
EasyTechJunkie is dedicated to creating trustworthy, high-quality content that always prioritizes transparency, integrity, and inclusivity above all else. Our ensure that our content creation and review process includes rigorous fact-checking, evidence-based, and continual updates to ensure accuracy and reliability.

Our Promise to you

Founded in 2002, our company has been a trusted resource for readers seeking informative and engaging content. Our dedication to quality remains unwavering—and will never change. We follow a strict editorial policy, ensuring that our content is authored by highly qualified professionals and edited by subject matter experts. This guarantees that everything we publish is objective, accurate, and trustworthy.

Over the years, we've refined our approach to cover a wide range of topics, providing readers with reliable and practical advice to enhance their knowledge and skills. That's why millions of readers turn to us each year. Join us in celebrating the joy of learning, guided by standards you can trust.

Editorial Standards

At EasyTechJunkie, we are committed to creating content that you can trust. Our editorial process is designed to ensure that every piece of content we publish is accurate, reliable, and informative.

Our team of experienced writers and editors follows a strict set of guidelines to ensure the highest quality content. We conduct thorough research, fact-check all information, and rely on credible sources to back up our claims. Our content is reviewed by subject matter experts to ensure accuracy and clarity.

We believe in transparency and maintain editorial independence from our advertisers. Our team does not receive direct compensation from advertisers, allowing us to create unbiased content that prioritizes your interests.

An authentication ticket is a security component of the Kerberos network security protocol. It acts as something of a token, a small collection of data, passed between a client computer and a server, so that the two computers can prove identity to one another. Beyond this mutual network identification, the ticket also details whatever permissions the client has for accessing the server and its services, as well as a time allotted for the session.

There are essentially two types of authentication ticket. A ticket granting ticket (TGT), also referred to as a ticket to get tickets, is the primary ticket issued when the client computer first establishes its identity. This type of ticket typically lasts for a long period, upwards of 10 or more hours, and can be renewed anytime during the period in which the user is logged onto the network. With a TGT, the user is able to then request individual authentication tickets to access other servers on the network.

A client-to-server ticket, also referred to as a session ticket, is the second form of authentication ticket. This is typically a short-lived ticket that is handed out when a client wishes to access a service on a particular server. The session ticket contains the client computer's network address, the user information, and a duration in which the ticket is valid. In some Kerberos implementations, such as Microsoft's® Active Directory®, a third type of ticket, called a referral ticket, can also be used. This ticket type is granted when a client wishes to access a server that resides on a domain separate from its own.

The way the Kerberos ticket granting system works is through the use of a separate server, known as the key distribution center (KDC), that provides the entire authentication ticket system. This machine has two sub-components running, the first of which is known as the authentication server (AS). The AS knows about all of the other computers and users on the network and keeps a database of their passwords. When a user logs onto the network, the AS grants him a TGT.

At the point in which a user needs to access a server somewhere on the network, he uses the TGT given earlier and requests a service ticket from the second part of the KDC, called the ticket granting server (TGS). The TGS sends a session ticket back to the user, who can then use it to access the server he requested. When the server receives the session ticket, it sends another message back to the user verifying its identity and that the user is allowed to access the service requested. In the case of a referral ticket, an extra step is required where the KDC of the home domain instead creates a referral ticket that allows the client to request session tickets from another KDC on a different network domain. This entire ticket generation and sharing process is encrypted at every step along the way to protect against an attacker eavesdropping or masquerading as a user.

The primary drawback to the authentication ticket method is the centralized structure of all authorizations. If an attacker manages to get access to the KDC, he essentially gains access to all user identities and passwords and can then impersonate anyone. Further, should the KDC become unavailable, no one would be able to use the network. Another issue is the detailed life cycles of the tickets, which require that all of the computers on the network have their clocks synchronized.

EasyTechJunkie is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.

Discussion Comments

EasyTechJunkie, in your inbox

Our latest articles, guides, and more, delivered daily.

EasyTechJunkie, in your inbox

Our latest articles, guides, and more, delivered daily.