What Is a Kerberos Service Ticket?

Updated on August 29, 2025

A Kerberos Service Ticket is the final and most specific credential in the Kerberos authentication protocol. It is the temporary key that grants a client access to a specific network service, such as a file server or a web application. After a user has been authenticated by a domain, the Service Ticket allows them to access network resources without re-entering credentials for each service.

This article provides a technical overview of how a Service Ticket works. We will cover its role in the Kerberos process and its security implications.

Definition and Core Concepts

A Service Ticket (ST) is a temporary, secure credential issued by the Kerberos Ticket-Granting Service (TGS). It is uniquely encrypted with the target service’s secret key. Its sole purpose is to prove a client’s identity to that specific service.

Key components involved in this process include:

• Ticket-Granting Service (TGS): The logical component of the Kerberos Key Distribution Center (KDC) responsible for issuing Service Tickets.
• Ticket-Granting Ticket (TGT): The initial, master ticket a client obtains from the KDC’s Authentication Service (AS). The client must present a valid TGT to the TGS to request a Service Ticket.
• Service Principal Name (SPN): A unique identifier used by a client to request a Service Ticket for a specific service instance on the network.
• Session Key: A temporary encryption key created by the TGS to secure communication between a client and a target service.

How It Works

The issuance of a Service Ticket is the second major phase of the Kerberos authentication process. This phase, often called the TGS Exchange, works as follows.

Client Request

A client sends a request (KRB_TGS_REQ) to the Kerberos TGS. This request includes its TGT and the Service Principal Name (SPN) of the resource it wants to access.

TGS Validation

The TGS decrypts the TGT using the domain’s KRBTGT key. This action verifies the client’s identity and ensures the TGT is valid. It then checks if the requested SPN is registered in Active Directory and if the user has permissions for the associated service.

Ticket Issuance

If the request is valid, the TGS generates a Service Ticket. This ticket is a secure data blob containing the client’s information and a new session key. The entire ticket is then encrypted with the target service’s secret key and sent back to the client.

The client then forwards this Service Ticket to the target service. Since the ticket is encrypted with the service’s key, only that service can decrypt it, verifying the client’s identity and granting access.

Key Features and Components

Service Tickets have several distinct features that are central to their function within the Kerberos protocol.

Single-Service Use

A Service Ticket is purpose-built and valid only for the specific service for which it was requested. It cannot be used to access other services on the network.

Time-Limited

Service Tickets have a defined expiration time, typically a few hours or a day. This limits the window of opportunity for an attacker if the ticket is stolen. Once expired, the ticket is invalid.

Delegation

A Service Ticket is central to Kerberos delegation. This feature allows a service to impersonate a user to access resources on the user’s behalf. This is common in multi-tier application architectures where a front-end service needs to access a back-end database as the user.

Troubleshooting and Considerations

Several common issues can prevent the successful issuance or use of a Service Ticket. Understanding these can help administrators troubleshoot authentication failures.

SPN Issues

A common cause of Service Ticket failures is an incorrect, missing, or duplicate SPN registration. The TGS cannot issue a ticket for a service if its SPN is not properly configured in Active Directory.

Time Skew

Kerberos is highly dependent on synchronized time across all machines. A significant time difference—typically more than five minutes—between the client, domain controller, and the service will cause ticket validation to fail.

Kerberoasting

Attackers can exploit the Kerberos protocol by requesting Service Tickets for any service account. The TGS will issue the ticket, which is encrypted with the service account’s password hash. An attacker can then capture this ticket and attempt to crack the password hash offline, a technique known as Kerberoasting.

Key Terms Appendix

• Kerberos Service Ticket: The temporary credential that grants access to a specific network service.
• Ticket-Granting Service (TGS): The service that issues Service Tickets.
• Ticket-Granting Ticket (TGT): The master ticket required to request a Service Ticket.
• Service Principal Name (SPN): A unique identifier for a service used in Kerberos.
• Kerberos Delegation: The process of allowing a service to impersonate a user to access resources on their behalf.