Kerberos Ticket Structure
Deep dive into Kerberos ticket components and cryptographic elements.
Objectives
- Understand the complete structure of Kerberos tickets
- Learn about PAC (Privilege Attribute Certificate) components
- Master ticket encryption and signing mechanisms
- Identify key material and cryptographic elements
Kerberos Ticket Components
Kerberos tickets are complex structures containing multiple components that work together to provide secure authentication and authorization.
1. Ticket Granting Ticket (TGT) Structure
The TGT is issued by the Key Distribution Center (KDC) and contains authorization information for the user.
TGT Structure:
├── Protocol Version
├── Message Type
├── Encryption Type
├── Realm (Domain)
├── Client Name
├── Server Name (krbtgt/REALM)
├── Encryption Key
├── Authorization Data (PAC)
└── Timestamps
2. Service Ticket (ST) Structure
Service tickets are used to authenticate to specific services and contain service-specific authorization data.
Service Ticket Structure:
├── Protocol Version
├── Message Type
├── Encryption Type
├── Realm
├── Client Name
├── Server Name (Service SPN)
├── Session Key
├── Authorization Data
└── Timestamps
PAC (Privilege Attribute Certificate)
The PAC is Microsoft's extension to Kerberos that contains user and group information for authorization decisions.
PAC Components
Key PAC Elements:
- User SID: Unique identifier for the user
- Group SIDs: List of groups the user belongs to
- Resource Group SIDs: Groups for resource access
- Extra SIDs: Additional security identifiers
- Logon Time: When the user logged on
- Logon Server: Which server authenticated the user
PAC Validation Process
The PAC validation ensures the integrity and authenticity of authorization data:
- PAC is encrypted with the server's long-term key
- PAC is signed with the server's key
- KDC validates PAC signature before issuing tickets
- Service validates PAC when processing requests
Ticket Encryption and Signing
Kerberos tickets use multiple layers of encryption to ensure security and integrity.
Encryption Types
| Encryption Type | Key Size | Security Level | Usage |
|---|---|---|---|
| RC4-HMAC | 128-bit | Legacy | Older systems |
| AES128-CTS-HMAC-SHA1-96 | 128-bit | Strong | Modern systems |
| AES256-CTS-HMAC-SHA1-96 | 256-bit | Strongest | High security |
Key Material
Different keys are used for different purposes in the Kerberos protocol:
- Long-term Keys: User and service account passwords
- Session Keys: Temporary keys for ticket encryption
- KRBTGT Key: Domain controller master key
- Service Keys: Keys for specific services
KRBTGT Account
The KRBTGT account is a special service account that acts as the key distribution center for the domain.
KRBTGT Key Characteristics:
- Password: Randomly generated, rarely changed
- Usage: Encrypts and signs all TGTs
- Access: Only accessible by Domain Controllers
- Rotation: Should be rotated regularly for security
KRBTGT Password Rotation
Regular KRBTGT password rotation is critical for security:
# PowerShell script to rotate KRBTGT password
Import-Module ActiveDirectory
# Get current KRBTGT account
$krbtgt = Get-ADUser -Identity "krbtgt" -Properties PasswordLastSet
# Rotate password (requires two-phase rotation)
# Phase 1: Set new password
# Phase 2: Wait for replication, then set again