Protocol
Client authenticates to KDC → TGT (Ticket Granting Ticket). Client presents TGT for service tickets. Service verifies ticket with KDC's shared key.
Advertisement
Tickets
Contain: session key + client identity + service identity + validity + client's IP. Encrypted with service's key.
Advertisement
Weaknesses
Time sync required (5 min tolerance). KDC single point of trust. Long-lived TGT enables 'pass-the-ticket'.
Golden ticket attack
Steal krbtgt hash → forge tickets for any user. Devastating in AD environments. Rotation critical.