What is a Kerberos Ticket Cache?

Updated on August 29, 2025

A Kerberos ticket cache is a secure, local storage area on a client machine where a user’s Kerberos tickets and session keys are temporarily stored. Its primary purpose is to streamline the authentication process by allowing a user to access multiple network services without needing to re-enter their credentials for each one.

This article provides a technical overview of how a ticket cache works and why its security is paramount for protecting a user’s identity on the network. Understanding the ticket cache is essential for IT professionals managing authentication infrastructure and defending against credential-based attacks.

Definition and Core Concepts

A Kerberos ticket cache is a designated memory region or file on a client machine where the Kerberos client stores tickets and their associated session keys. This cache is managed by the operating system and is fundamental to the Kerberos protocol’s efficiency.

The ticket cache stores three critical components:

• Ticket-Granting Ticket (TGT): The master ticket that a user receives upon initial authentication. It serves as proof of the user’s identity to the Kerberos Key Distribution Center (KDC). The TGT has a default lifetime of 10 hours in most Active Directory environments.
• Service Ticket (ST): A temporary, single-use credential that grants a client access to a specific network service. Service tickets typically have shorter lifespans than TGTs, usually ranging from 10 minutes to several hours depending on the service configuration.
• Session Keys: The cache also stores the symmetric session keys that are used to secure communication between the client and the KDC or the client and a service. These keys encrypt all Kerberos protocol exchanges to prevent eavesdropping and tampering.

The ticket cache operates as a temporary credential store, eliminating the need for users to repeatedly authenticate with their passwords after the initial login. This mechanism significantly reduces network traffic to domain controllers and improves the user experience across enterprise environments.

How the Kerberos Ticket Cache Works

The Kerberos ticket cache is central to the two-phase Kerberos authentication process. Understanding this process is crucial for troubleshooting authentication issues and implementing security controls.

Initial Logon Process

When a user first logs on, their Kerberos client sends an Authentication Server Request (AS-REQ) to the KDC. This request contains the user’s principal name and a timestamp encrypted with a key derived from the user’s password hash.

Upon successful verification, the KDC issues a TGT and sends it back to the client in an Authentication Server Reply (AS-REP). The client securely stores this TGT in the ticket cache along with the session key needed to communicate with the KDC.

The TGT itself is encrypted with the KDC’s secret key, making it impossible for the client to read or modify its contents. However, the client can present this opaque ticket to the KDC as proof of successful authentication.

Service Access Process

When the user attempts to access a network service, the Kerberos client first checks its local cache for a valid Service Ticket to that specific service.

If a valid Service Ticket exists in the cache, the client uses the cached ticket to authenticate directly to the service. This eliminates the need to contact the KDC and provides immediate access.

If no valid Service Ticket exists, the client uses its cached TGT to request a new Service Ticket from the KDC. The client sends a Ticket-Granting Service Request (TGS-REQ) containing the TGT and the service principal name. The KDC responds with a TGS-REP containing the new Service Ticket, which is then stored in the cache for future use.

This caching mechanism ensures that the user’s password never leaves the client machine after initial authentication. All subsequent authentication requests use tickets and session keys, providing both security and efficiency.

Kerberos Ticket Cache Security Considerations

The ticket cache represents a critical security boundary in Kerberos deployments. A compromised ticket cache can provide attackers with extensive network access without requiring password knowledge.

Primary Security Risks

• Pass-the-Ticket (PtT) Attacks: If a machine is compromised, an attacker with elevated privileges can extract tickets from the cache using tools like Mimikatz or Rubeus. Once an attacker obtains a TGT, they can request Service Tickets for any resource the user has permissions to access.
• Credential Dumping: The Local Security Authority Subsystem Service (LSASS) process on Windows systems manages the ticket cache in memory. Attackers often target LSASS to dump both password hashes and Kerberos tickets simultaneously.
• Golden Ticket Attacks: While not directly related to the ticket cache, attackers who compromise the krbtgt account can create fraudulent TGTs that will be accepted by any service in the domain. These forged tickets can be injected into ticket caches to maintain persistent access.

Security Mitigation Strategies

• Credential Guard: This Windows security feature uses virtualization-based security to isolate the LSASS process and its associated credential material. Credential Guard makes it extremely difficult for attackers to dump the ticket cache, even with administrative privileges.
• Least Privilege Access: Restricting administrative access on endpoints reduces the attack surface for ticket extraction. Regular users cannot access the ticket cache of other users or the system account.
• Multi-Factor Authentication (MFA): While MFA doesn’t directly protect the ticket cache, it prevents attackers from obtaining initial credentials that would populate the cache. Modern authentication protocols like Windows Hello for Business can reduce reliance on traditional Kerberos tickets.
• Regular Ticket Cache Clearing: Organizations can implement Group Policy settings to automatically clear ticket caches at regular intervals or during specific events like screen lock. This reduces the window of opportunity for ticket theft.

Troubleshooting Kerberos Ticket Cache Issues

Authentication problems in Kerberos environments often originate from ticket cache corruption or expiration. IT professionals should be familiar with the tools and techniques for diagnosing these issues.

Common Cache-Related Problems

• Expired Tickets: TGTs and Service Tickets have defined lifespans. When tickets expire, users may experience authentication failures when accessing services. Clock skew between clients and domain controllers can exacerbate expiration issues.
• Corrupted Cache Entries: System crashes, improper shutdowns, or file system errors can corrupt the ticket cache. Corrupted tickets will cause authentication failures even when the user’s credentials are valid.
• Cache Permission Issues: On Linux systems, incorrect permissions on the ticket cache file can prevent applications from reading stored tickets. This typically manifests as repeated password prompts for services that should use cached credentials.

Diagnostic and Resolution Techniques

The klist command-line utility is the primary tool for managing ticket caches across Windows and Linux platforms. Key klist commands include:

• klist: Display all cached tickets with their expiration times
• klist purge: Delete all tickets from the cache
• klist -li 0x3e7 purge: Clear tickets for the system account (Windows)

Clearing the ticket cache forces the client to re-authenticate with the KDC, which resolves most corruption-related issues. However, this approach requires the user to re-enter their credentials.

Network administrators can also use tools like Wireshark to capture Kerberos traffic and identify authentication failures at the protocol level. Looking for specific Kerberos error codes in KRB-ERROR messages can pinpoint whether issues stem from the cache, network connectivity, or KDC configuration.

Key Terms Appendix

• Kerberos Ticket Cache: The local storage area where Kerberos tickets and session keys are temporarily held on client machines.
• Ticket-Granting Ticket (TGT): The master credential that proves a user’s identity to the Key Distribution Center and enables requests for Service Tickets.
• Service Ticket: A temporary, service-specific credential that grants access to a particular network resource.
• Pass-the-Ticket (PtT): An attack technique where stolen Kerberos tickets are used to access network resources without knowing the user’s password.
• klist: A command-line utility available on Windows and Linux systems for viewing, managing, and purging Kerberos ticket caches.
• Local Security Authority Subsystem Service (LSASS): The Windows process responsible for managing authentication credentials, including the Kerberos ticket cache.