What is an Authentication Ticket?

An authentication ticket is a security component of the Kerberos network security protocol. It acts as something of a token, a small collection of data, passed between a client computer and a server, so that the two computers can prove identity to one another. Beyond this mutual network identification, the ticket also details whatever permissions the client has for accessing the server and its services, as well as a time allotted for the session.

There are essentially two types of authentication ticket. A ticket granting ticket (TGT), also referred to as a ticket to get tickets, is the primary ticket issued when the client computer first establishes its identity. This type of ticket typically lasts for a long period, upwards of 10 or more hours, and can be renewed anytime during the period in which the user is logged onto the network. With a TGT, the user is able to then request individual authentication tickets to access other servers on the network.

A client-to-server ticket, also referred to as a session ticket, is the second form of authentication ticket. This is typically a short-lived ticket that is handed out when a client wishes to access a service on a particular server. The session ticket contains the client computer's network address, the user information, and a duration in which the ticket is valid. In some Kerberos implementations, such as Microsoft's® Active Directory®, a third type of ticket, called a referral ticket, can also be used. This ticket type is granted when a client wishes to access a server that resides on a domain separate from its own.

The way the Kerberos ticket granting system works is through the use of a separate server, known as the key distribution center (KDC), that provides the entire authentication ticket system. This machine has two sub-components running, the first of which is known as the authentication server (AS). The AS knows about all of the other computers and users on the network and keeps a database of their passwords. When a user logs onto the network, the AS grants him a TGT.

At the point in which a user needs to access a server somewhere on the network, he uses the TGT given earlier and requests a service ticket from the second part of the KDC, called the ticket granting server (TGS). The TGS sends a session ticket back to the user, who can then use it to access the server he requested. When the server receives the session ticket, it sends another message back to the user verifying its identity and that the user is allowed to access the service requested. In the case of a referral ticket, an extra step is required where the KDC of the home domain instead creates a referral ticket that allows the client to request session tickets from another KDC on a different network domain. This entire ticket generation and sharing process is encrypted at every step along the way to protect against an attacker eavesdropping or masquerading as a user.

The primary drawback to the authentication ticket method is the centralized structure of all authorizations. If an attacker manages to get access to the KDC, he essentially gains access to all user identities and passwords and can then impersonate anyone. Further, should the KDC become unavailable, no one would be able to use the network. Another issue is the detailed life cycles of the tickets, which require that all of the computers on the network have their clocks synchronized.