Microsoft KB Archive/230669

= Windows 2000 Kerberos 5 Ticket Flags and KDC Options for AS_REQ and TGS_REQ Messages =

PSS ID Number: 230669

Article Last Modified on 11/21/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q230669



SUMMARY
The Microsoft Windows 2000 implementation of the Kerberos version 5 protocol is designed for interoperability with other security services based on MIT Kerberos version 5. Microsoft implements Kerberos based on RFC 1510 as an authentication package replacing NTLM. Kerberos version 5 is the default authentication package for Windows 2000. It is important to remember that Kerberos does not authorize access to resources, but rather authenticates a user's identity. Once the client identity is verified, the local Security Authority authorizes or denies access.

This article describes the common flags associated with "tickets" and the Key Distribution Center (KDC) option table for AS_REQ and TGS_REQ. A "ticket" in Kerberos is a package with the user's name and the user's SIDs in a data structure. The goal of Kerberos could be thought of as the creation and secure distribution of tickets.

For a complete overview of Kerberos in Windows 2000, please see the following article in the Microsoft Knowledge Base:

217098 Basic Overview of Kerberos Authentication in Windows 2000



Kerberos Ticket Flags
Flag Bit: 0

Flag Value: Reserved

Flag Meaning: None

Flag Bit: 1

Flag Value: Forwardable

Flag Meaning: The ticket can be forwarded, it only applies to a TGT.

Flag Bit: 2

Flag Value: Forwarded

Flag Meaning: A TGT or ticket that has been forwarded.

Flag Bit: 3

Flag Value: Proxiable

Flag Meaning: This ticket can be proxied.

Flag Bit: 4

Flag Value: Proxy

Flag Meaning: A ticket that has been proxied.

Flag Bit: 5

Flag Value: May Postdate

Flag Meaning: In a TGT, this means that subsequent tickets can be postdated.

Flag Bit: 6

Flag Value: Postdated

Flag Meaning: A ticket with a START-TIME time stamp in the future.

Flag Bit: 7

Flag Value: Invalid

Flag Meaning: This flag is set for a postdated ticket and cleared by the TGS when presented for validation at the ticket's start time.

Flag Bit: 8

Flag Value: Renewable

Flag Meaning: Specifies whether or not the same ticket may be used beyond its original lifetime. The default Kerberos policy is 10 hours, but may be renewable for a longer period of time.

Flag Bit: 9

Flag Value: Initial

Flag Meaning: This ticket resulted from an AS_REQ message and was not based on a TGT. The TGT, tickets issued from remote untrusted domain services, and programs such as password-changing programs might require this flag.

Flag Bit: 10

Flag Value: Pre-authent

Flag Meaning: Specifies that some pre-authentication was required (and passed) before the ticket was issued. This would be the result of any pre-authentication data sent in the pre-authentication data field of the AS_REQ or TGS_REQ messages. Microsoft Kerberos requires this by default.

Flag Bit: 11

Flag Value: HW-authent

Flag Meaning: Indicates that some hardware device was used for pre-authentication. Microsoft Kerberos does not currently use this flag.

Flag Bit: 12

Flag Value: Transited Policy Checked

Flag Meaning: In the case of a cross-domain authentication, this flag indicates that the KDC has checked the transited field to make sure that any domains that the ticket has passed through were trusted.

Flag Bit: 13

Flag Value: OK As Delegate

Flag Meaning: If set, indicates that the server specified in the ticket has been approved by the domain policy to be used as a client delegate. That is, the specified server can make use of a proxy or forwarded ticket. Whether a computer can be trusted for delegation is set under the computer's properties.

Flag Bit: 14

Flag Value: Anonymous

Flag Meaning: Indicates that the principal is a generic domain account, such as anonymous, for the purpose of distributing a session key.

Flag Bits: 15-31

Flag Value: Reserved

Flag Meaning: None at this time.

Description of the KDC
The Key Distribution Center (KDC) is a service that runs on every Windows 2000 domain controller and is responsible for maintaining master keys for all principles. The KDC service that gives the client a logon session key and a Ticket Granting Ticket (TGT) is known as the Authentication Service (AS). The KDC then distributes a service session key and a ticket for the service by using the Ticket-Granting Service (TGS). The final step in the authentication process is when the client pre-sends the ticket for admission to a service called the Client/Server (CS) Exchange.

NOTE: This is a simplified overview and many more steps may be necessary for a complete picture of the process.

KDC Options for KRB_AS_REQ and KRB_TGS_REQ Messages
The following KDC options cab be set in an AS_REQ or TGS_REQ.

Flag Bit: 0

Flag Value: Reserverd

Flag Meaning: None

Flag Bit: 1

Flag Value: Forwardable

Flag Meaning: Ticket can be forwarded. A forwarded ticket is a type of proxy, allowing the ticket to be used from a specified address to obtain additional service tickets on behalf of the client. Allowed addresses are specified in the message's addresses field.

Flag Bit: 2

Flag Value: Forwarded

Flag Meaning: Ticket is a forwarded ticket.

Flag Bit: 3

Flag Value: Proxiable

Flag Meaning: Ticket can be proxied. A proxied ticket can be valid from specified addresses other than the original client's address. The difference between proxy and forwarded tickets is that a proxy ticket is used to authenticate a client to a specific target. A forwarded ticket is a TGT, allowing a service to act as if it were the client and to request new service tickets from the TGS, again as if it were the original client.

Flag Bit: 4

Flag Value: Proxy

Flag Meaning: Ticket is a proxy ticket.

Flag Bit: 5

Flag Value: Allow Postdate

Flag Meaning: A service (for example, a backup service) can start and request a ticket that can be postdated, meaning that it will be valid at some requested time in the future (hours or days away). This allows the service to start and run without the additional security risk of having a valid ticket stored in the LSA's credential cache. When the service wants the ticket to be activated, it sends a TGS request with the VALIDATE flag set (see below).

Flag Bit: 6

Flag Value: Post-dated

Flag Meaning: Ticket is post-dated.

Flag Bit: 7

Flag Value: Reserved

Flag Meaning: None

Flag Bit: 8

Flag Value: Renewable

Flag Meaning: Tickets are normally valid for 10 hours, depending on the domain's Kerberos policy. However, they may be renewable for a longer period of time. This is also set by the Kerberos policy. If a ticket is renewable, the renewal process will take place automatically at the ticket's expiration time.

Flag Bits: 9-13

Flag Value: Reserved

Flag Meaning: None at this time.

Flag Bit: 14

Flag Value: Request Anonymous

Flag Meaning: Even if a user is anonymous, a ticket authenticating that the user actually is anonymous needs to be created.

Flag Bits: 15-25

Flag Value: Reserved

Flag Meaning: None at this time.

Flag Bit: 26

Flag Value: Disable Transited Check

Flag Meaning: Tickets contain a field that tracks which domains that ticket has passed through to get to the target server. This is used if the target server is not in the client's domain. An MIT Kerberos policy may require that the list of transited domains be checked for valid domains. Microsoft Kerberos does not currently use this policy. However, a Kerberos-aware program may perform its own checking and may request that the normal transit checking be disabled.

Flag Bit: 27

Flag Value: Renewable OK

Flag Meaning: This flag means that it is acceptable to issue renewable tickets based on this ticket. It does not mean that the initial ticket, the TGT, should be renewable. This is set by flag bit 8.

Flag Bit: 28

Flag Value: ENC-TKT-IN-SKEY

Flag Meaning: Normally, tickets are encrypted with the target server's secret key. However, in user-to-user authentication, the ticket is encrypted with the session key taken from a provided TGT. This flag is used in that situation and means "Encrypt ticket in the session key."

Flag Bit: 29

Flag Value: Reserved

Flag Meaning: None.

Flag Bit: 30

Flag Value: Renew

Flag Meaning: This is not used for the AS_REQ. If a ticket is flagged as renewable and needs to be renewed, this flag would be set and the ticket needing the renewal would be included with the request (a TGS_REQ).

Flag Bit: 31

Flag Value: Validate

Flag Meaning: Validate a postdated ticket, based on the start time specified in the ticket.

Kerberos Terminology
Client

An entity that can obtain a ticket. This entity is usually either a user or a host.

Host

A computer that can be contacted over a network.

Kerberos

The Kerberos service was originally intended to have three components: authentication, accounting, and auditing. Accounting and auditing were never implemented, and Kerberos is solely a network security package that was developed at MIT.

KDC

Key Distribution Center. A computer that issues Kerberos tickets.

Keytab

A key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his or her password.

Principal

A string that names a specific entity to which a set of credentials may be assigned. It generally has three parts:
 * Primary - The first part of a Kerberos principal. In the case of a user, it is the user name. In the case of a service, it is the name of the service.
 * Instance - The second part of a Kerberos principal. It gives information that qualifies the primary. The instance may be null. In the case of a user, the instance is often used to describe the intended use of the corresponding credentials. In the case of a host, the instance is the fully qualified host name.
 * Realm - The logical network served by a single Kerberos database and a set of Key Distribution Centers. By convention, realm names are generally all uppercase letters, to differentiate the realm from the Internet domain. A Kerberos realm correlates with a Microsoft domain.

The typical format of a typical Kerberos principal is

primary/instance@DOMAIN.

Service

Any program or computer you use over a network. Examples of services include "host," "ftp," "krbtgt," and "pop."

Ticket

A temporary set of electronic credentials that verify the identity of a client for a particular service.

TGT Ticket-Granting Ticket

A special Kerberos ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos domain/realm.

Keywords: kbenv kbinfo KB230669

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.