AW: Proof of authenticity of TGT

Olfmatic olfmatic at
Wed Aug 23 03:43:30 EDT 2006

I understand your warnings. But it is not possible to add the service to the realm, because it is running on a host that is not in the same windows domain and not in the same kerberos realm. To be more precise, it is not running in a kerberos realm at all and thus is not really a kerberos service.
So I have to find an own way to authenticate my client to my server. I thought of checking the TGT, the client obtains from the KDC.
Can you tell me how to get the KDC's master key, the TGT is encrypted with? Or maybe you have another solution for my problem...

Thank you for your help.

-----Ursprungliche Nachricht-----
Von: raeburn at MIT.EDU [mailto:raeburn at MIT.EDU]
Gesendet: Dienstag, 22. August 2006 19:56
An: Olfmatic
Cc: kerberos at
Betreff: Re: Proof of authenticity of TGT

On Aug 22, 2006, at 5:50, Olfmatic wrote:
> as my service is not part of the Kerberos realm, I am not able to  
> acquire a service ticket for it. My next thought is to use the TGT  
> for authentication at the service.
> How can this be done? Is the TGT signed with a KDC secret? How can  
> this be obtained from the KDC? If I had the KDC's master key, the  
> TGT is encrypted with, I could give it to my service so it can  
> proof the authenticity of the TGT passed to it by my client.

It may be possible to extract the TGT key from the database, though  
it's not a great idea.  If you've got that degree of access, why  
can't you add the service to the realm?  And if you're going to use  
the TGT key for some random service, I hope there's nothing else in  
the realm you care about the security of, because if that server (or  
the machine it runs on) can be compromised, everything else in the  
realm would be vulnerable.


More information about the Kerberos mailing list