Differences between TGT and Service Tickets

[Ken Raeburn]

On Dec 10, 2009, at 08:19, Tadoori (EXT), Vilas wrote:
> Hello All,
>
> I am new to the Kerberos field and would like to know the basic  
> differences between a TGT and a Service Ticket and it would be great  
> if anyone can provide an example on this.

The fundamental difference is that the TGT is a ticket for a very  
specific service, the Ticket Granting Service.  We usually use  
"service ticket" for services other than the TGS, but the TGS is a  
service as well, in the general sense.  While other services may let  
you read email or log in or print files, the TGS is more integrated  
with Kerberos and lets you acquire additional tickets for most  
services (except, for example, the password-changing service) without  
using your password every time.

In the initial ticket exchange, Kerberos lets you get a ticket for any  
service in the realm; the TGS is the usual one, but it doesn't have to  
be the one you ask for.  You could instead ask for an initial ticket  
for a print service or an IMAP service.  But if you want to use a  
second service, you need to go back to the Authentication Service and  
get another "initial" ticket that you'll need your password to decrypt  
(unless you're using PKINIT).

Ken