Home

TGT

Ticket Granting Ticket, abbreviated TGT, is a credential used in the Kerberos authentication protocol. It enables a client to obtain service tickets for multiple network services without re-entering credentials for each service, after an initial login.

In a typical Kerberos flow, a user authenticates to the Key Distribution Center’s Authentication Service (AS).

To access a service, the client presents the TGT and an authenticator (encrypted with the TGS–\Client session

Lifetime and renewal are important aspects: TGTs have a limited validity period and may be renewable, depending

In computing contexts, TGT most commonly refers to a Kerberos Ticket Granting Ticket, a central element of

If
successful,
the
AS
returns
a
TGT
and
a
session
key
for
communications
with
the
Ticket
Granting
Service
(TGS).
The
TGT
contains
the
client’s
principal
name,
the
realm,
a
timestamp,
a
validity
period,
and
a
session
key
for
client–TGS
communication;
it
is
encrypted
with
the
TGS’s
secret
key
so
that
the
client
cannot
read
or
modify
it.
The
client
stores
the
TGT
for
use
during
subsequent
requests.
key)
to
the
TGS.
If
the
TGT
and
authenticator
are
valid,
the
TGS
issues
a
service
ticket
for
the
requested
service,
encrypted
with
that
service’s
secret
key.
The
client
then
uses
the
service
ticket
to
authenticate
to
the
service
itself.
on
policy.
If
a
TGT
is
compromised,
an
attacker
could
obtain
service
tickets
until
expiry.
Security
considerations
emphasize
short
lifetimes,
secure
storage,
timely
revocation,
and
minimizing
delegation
of
credentials.
the
protocol’s
credential
management.