MORE INFORMATION

Kerberos Ticket Flags

Flag Bit: 0
Flag Value: Reserved
Flag Meaning: None

Flag Bit: 1
Flag Value: Forwardable
Flag Meaning: The ticket can be forwarded, it only applies to a TGT.

Flag Bit: 2
Flag Value: Forwarded
Flag Meaning: A TGT or ticket that has been forwarded.

Flag Bit: 3
Flag Value: Proxiable
Flag Meaning: This ticket can be proxied.

Flag Bit: 4
Flag Value: Proxy
Flag Meaning: A ticket that has been proxied.

Flag Bit: 5
Flag Value: May Postdate
Flag Meaning: In a TGT, this means that subsequent tickets can be postdated.

Flag Bit: 6
Flag Value: Postdated
Flag Meaning: A ticket with a START-TIME time stamp in the future.

Flag Bit: 7
Flag Value: Invalid
Flag Meaning: This flag is set for a postdated ticket and cleared by the TGS when presented for validation at the ticket's start time.

Flag Bit: 8
Flag Value: Renewable
Flag Meaning: Specifies whether or not the same ticket may be used beyond its original lifetime. The default Kerberos policy is 10 hours, but may be renewable for a longer period of time.

Flag Bit: 9
Flag Value: Initial
Flag Meaning: This ticket resulted from an AS_REQ message and was not based on a TGT. The TGT, tickets issued from remote untrusted domain services, and programs such as password-changing programs might require this flag.

Flag Bit: 10
Flag Value: Pre-authent
Flag Meaning: Specifies that some pre-authentication was required (and passed) before the ticket was issued. This would be the result of any pre-authentication data sent in the pre-authentication data field of the AS_REQ or TGS_REQ messages. Microsoft Kerberos requires this by default.

Flag Bit: 11
Flag Value: HW-authent
Flag Meaning: Indicates that some hardware device was used for pre-authentication. Microsoft Kerberos does not currently use this flag.

Flag Bit: 12
Flag Value: Transited Policy Checked
Flag Meaning: In the case of a cross-domain authentication, this flag indicates that the KDC has checked the transited field to make sure that any domains that the ticket has passed through were trusted.

Flag Bit: 13
Flag Value: OK As Delegate
Flag Meaning: If set, indicates that the server specified in the ticket has been approved by the domain policy to be used as a client delegate. That is, the specified server can make use of a proxy or forwarded ticket. Whether a computer can be trusted for delegation is set under the computer's properties.

Flag Bit: 14
Flag Value: Anonymous
Flag Meaning: Indicates that the principal is a generic domain account, such as anonymous, for the purpose of distributing a session key.

Flag Bits: 15-31
Flag Value: Reserved
Flag Meaning: None at this time.

Description of the KDC

The Key Distribution Center (KDC) is a service that runs on every Windows 2000 domain controller and is responsible for maintaining master keys for all principles. The KDC service that gives the client a logon session key and a Ticket Granting Ticket (TGT) is known as the Authentication Service (AS). The KDC then distributes a service session key and a ticket for the service by using the Ticket-Granting Service (TGS). The final step in the authentication process is when the client pre-sends the ticket for admission to a service called the Client/Server (CS) Exchange.

NOTE: This is a simplified overview and many more steps may be necessary for a complete picture of the process.

KDC Options for KRB_AS_REQ and KRB_TGS_REQ Messages

The following KDC options cab be set in an AS_REQ or TGS_REQ.

Flag Bit: 0
Flag Value: Reserverd
Flag Meaning: None

Flag Bit: 1
Flag Value: Forwardable
Flag Meaning: Ticket can be forwarded. A forwarded ticket is a type of proxy, allowing the ticket to be used from a specified address to obtain additional service tickets on behalf of the client. Allowed addresses are specified in the message's addresses field.

Flag Bit: 2
Flag Value: Forwarded
Flag Meaning: Ticket is a forwarded ticket.

Flag Bit: 3
Flag Value: Proxiable
Flag Meaning: Ticket can be proxied. A proxied ticket can be valid from specified addresses other than the original client's address. The difference between proxy and forwarded tickets is that a proxy ticket is used to authenticate a client to a specific target. A forwarded ticket is a TGT, allowing a service to act as if it were the client and to request new service tickets from the TGS, again as if it were the original client.

Flag Bit: 4
Flag Value: Proxy
Flag Meaning: Ticket is a proxy ticket.

Flag Bit: 5
Flag Value: Allow Postdate
Flag Meaning: A service (for example, a backup service) can start and request a ticket that can be postdated, meaning that it will be valid at some requested time in the future (hours or days away). This allows the service to start and run without the additional security risk of having a valid ticket stored in the LSA's credential cache. When the service wants the ticket to be activated, it sends a TGS request with the VALIDATE flag set (see below).

Flag Bit: 6
Flag Value: Post-dated
Flag Meaning: Ticket is post-dated.

Flag Bit: 7
Flag Value: Reserved
Flag Meaning: None

Flag Bit: 8
Flag Value: Renewable
Flag Meaning: Tickets are normally valid for 10 hours, depending on the domain's Kerberos policy. However, they may be renewable for a longer period of time. This is also set by the Kerberos policy. If a ticket is renewable, the renewal process will take place automatically at the ticket's expiration time.

Flag Bits: 9-13
Flag Value: Reserved
Flag Meaning: None at this time.

Flag Bit: 14
Flag Value: Request Anonymous
Flag Meaning: Even if a user is anonymous, a ticket authenticating that the user actually is anonymous needs to be created.

Flag Bits: 15-25
Flag Value: Reserved
Flag Meaning: None at this time.

Flag Bit: 26
Flag Value: Disable Transited Check
Flag Meaning: Tickets contain a field that tracks which domains that ticket has passed through to get to the target server. This is used if the target server is not in the client's domain. An MIT Kerberos policy may require that the list of transited domains be checked for valid domains. Microsoft Kerberos does not currently use this policy. However, a Kerberos-aware program may perform its own checking and may request that the normal transit checking be disabled.

Flag Bit: 27
Flag Value: Renewable OK
Flag Meaning: This flag means that it is acceptable to issue renewable tickets based on this ticket. It does not mean that the initial ticket, the TGT, should be renewable. This is set by flag bit 8.

Flag Bit: 28
Flag Value: ENC-TKT-IN-SKEY
Flag Meaning: Normally, tickets are encrypted with the target server's secret key. However, in user-to-user authentication, the ticket is encrypted with the session key taken from a provided TGT. This flag is used in that situation and means "Encrypt ticket in the session key."

Flag Bit: 29
Flag Value: Reserved
Flag Meaning: None.

Flag Bit: 30
Flag Value: Renew
Flag Meaning: This is not used for the AS_REQ. If a ticket is flagged as renewable and needs to be renewed, this flag would be set and the ticket needing the renewal would be included with the request (a TGS_REQ).

Flag Bit: 31
Flag Value: Validate
Flag Meaning: Validate a postdated ticket, based on the start time specified in the ticket.

Kerberos Terminology

Client
An entity that can obtain a ticket. This entity is usually either a user or a host.

Host
A computer that can be contacted over a network.

Kerberos
The Kerberos service was originally intended to have three components: authentication, accounting, and auditing. Accounting and auditing were never implemented, and Kerberos is solely a network security package that was developed at MIT.

KDC
Key Distribution Center. A computer that issues Kerberos tickets.

Keytab
A key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his or her password.

Principal
A string that names a specific entity to which a set of credentials may be assigned. It generally has three parts:

• Primary - The first part of a Kerberos principal. In the case of a user, it is the user name. In the case of a service, it is the name of the service.
• Instance - The second part of a Kerberos principal. It gives information that qualifies the primary. The instance may be null. In the case of a user, the instance is often used to describe the intended use of the corresponding credentials. In the case of a host, the instance is the fully qualified host name.
• Realm - The logical network served by a single Kerberos database and a set of Key Distribution Centers. By convention, realm names are generally all uppercase letters, to differentiate the realm from the Internet domain. A Kerberos realm correlates with a Microsoft domain.

The typical format of a typical Kerberos principal is

Service
Any program or computer you use over a network. Examples of services include "host," "ftp," "krbtgt," and "pop."

Ticket
A temporary set of electronic credentials that verify the identity of a client for a particular service.

TGT Ticket-Granting Ticket
A special Kerberos ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos domain/realm.