Home

clientTGS

clientTGS is a client-side component used in Kerberos-based authentication systems. It denotes the portion of the client software that handles communication with the Ticket Granting Service (TGS) in order to obtain service tickets for specific network services. The term is not a formal standard, but is used in some documentation to distinguish the client’s TGS-related logic from other Kerberos client functionality such as the initial authentication with the Authentication Service (AS).

The core role of clientTGS is to take a valid Ticket Granting Ticket (TGT) already obtained from

Typical workflow: a client presents credentials to obtain a TGT from the AS. When access to a

Security considerations include protection of the TGT and service tickets, strict validation of timestamps and lifetimes,

the
AS,
construct
a
TGS
request
(TGS-REQ)
for
a
particular
service,
send
it
to
the
TGS,
and
process
the
response
(TGS-REP).
The
TGS-REP
contains
a
service
ticket
that
the
client
can
present
to
the
target
service,
along
with
a
session
key
for
negotiations
with
that
service.
The
clientTGS
component
also
manages
the
local
cache
of
tickets
and
the
TGT,
reusing
or
renewing
tickets
as
policy
allows.
service
is
required,
the
clientTGS
module
uses
the
TGT
and
the
client’s
own
credentials
to
request
a
service
ticket
from
the
TGS.
On
success,
the
service
ticket
is
supplied
to
the
application
or
library
requesting
access
so
that
it
can
authenticate
to
the
target
service.
protection
against
replay,
clock
skew
handling,
and
proper
key
management.
In
practice,
clientTGS
is
implemented
within
Kerberos
client
libraries
or
OS
authentication
subsystems
and
may
interact
with
a
credential
cache
(ccache).