Your Knowledge Center for all Active Directory Security-Related Research

Kerberos TGT

The Kerberos TGT (Ticket Granting Ticket) contains all of the user’s relevant authentication and authorization information. This information enables the Kerberos KDC (Key Distribution Center) to rely solely on the ticket information, eliminating the need to make further identification inquiries and as such, improving the protocol’s efficiency.

In particular, the TGT ticket contains the following fields:

  • Name: The user’s name the ticket is associated with
  • Start time and End time: marks the validity period of the ticket. By default, in Windows networks, the validity period is set to ten hours.
  • Authorization-data: Authorization data details the user’s privileges and access rights. In Windows the authorization data take the form of a Privilege Attribute Certificate (PAC) object. PAC is a “Microsoft-specific authorization data present in the authorization data field of a ticket. The PAC contains several logical components, including group membership data for authorization, alternate credentials for non-Kerberos authentication protocols, and policy control information for supporting interactive logon.”

To protect the TGT from being fiddled with, the TGT is encrypted with a key that is known to only the AS (Authentication Server) and the KDC.