0

Why is it okay to pass Kerberos TGTs around between machines (even across networks)? Isn't this pretty much passing a private key around (which is highly frowned upon the security world)?

The only protection I've read about so far is that it has a set amount of time for which it is valid.

Please answer in terms of why passing a TGT is okay and passing a private key is not. Please assume that i understand everything will be transferred via SSL/TLS and that these pieces of sensitive data are encrypted while at rest.

funa68
  • 909
  • 3
  • 12
  • 21

2 Answers2

0

Passing a TGT is like passing a sessionId over a SSL/TLS channel, not passing a private key over open network :). It is secure. TGT contents are encrypted, and read only by intendet recipient.

damiankolasa
  • 1,508
  • 9
  • 8
0

Unless I'm missing something, clients don't pass TGTs around: TGTs are what clients receive once they've authenticated to the Authentication Service (AS).

When a client wants to connect to a remote server/service, it sends its TGT - as part of a larger request - to the Ticket-Granting Service (TGS), which then hands back a ticket that the remote server/service will be able to decrypt with their own TGT.

So unless you're talking about between clients and the TGS, I don't believe that TGTs are passed between client and server.

Here's some documentation: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378170%28v=vs.85%29.aspx

John Ruiz
  • 2,371
  • 3
  • 20
  • 29
  • Hey John, I am referring to a trust by referral aka Double Hop. http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx – funa68 Dec 05 '12 at 18:16
  • @funa68 - ah, ok. You're talking about old-school delegation. We use constrained delegation which leverages S4U instead of actually passing the TGT. – John Ruiz Dec 07 '12 at 14:57