Where does Kerberos TGT originated from? AS or TGS?

0
votes

I have been studying Kerberos, and I am confused with which component sent the Ticket Granting Ticket(TGT) from KDC back to the Client?

Some of the source I come across says, TGT originated from Ticket Granting Service(TGS), which I think is very logically sounded, since it make sense that a ticket(i.e. TGT) is granted by a Ticker granting service.

However, some other source like these (https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fintroductiontokerberosauthentication.htm)

The Authorization Server verifies the user’s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user’s password and sends a message back to the user workstation.

implies that TGT originated from Authentication Service (AS).

So, my question is: where does Kerberos TGT originated from? AS or TGS? I am more toward AS myself based on the above source but would like more input on this topic, thanks.

1
kerberos

1 Answers

2
votes

The TGT is a ticket issued to the krbtgt service. That's all it is. You can get tickets through either the AS or TGS flow.

In order to get a ticket from the AS flow you need to have what Kerberos calls long term credentials to initiate or complete the flow. The AS-REP contains a value encrypted to that long term credential, so it's only useful if you have the password (or certificate, or whatever).

In order to get a ticket from the TGS flow you need to have a ticket issued for krbtgt.

The common practice is to use the AS flow to request a ticket to krbtgt using your password as the long term credential (or certificate, or whatever). There's nothing stopping you from requesting a different service in the AS-REQ, it just happens that no one does it because it defeats the purpose of using a TGT in place of the creds. There are specific services this is special-cased for like password change though where this is the only way you can get a ticket (say your password is expired, you can't get a TGT, but can get a changepw ticket).

Once you have the TGT, you can request tickets to any other service using a TGS-REQ, including requesting another TGT by setting the service to krbtgt (it's effectively treated as a renew). The TGS-REP is returned to the client and contains the service ticket encrypted against the krbtgt session key. The client can decrypt it because it has the session key. Once it's decrypted the client converts it to an AP-REQ and hands it off to whatever application requested a ticket. The ticket in the AP-REQ is encrypted to the service password.