Question on validating Kerberos Ticket (From one machine to another)

Russ Allbery rra at
Mon Jun 25 19:57:04 EDT 2007

first last <swtest9 at> writes:

> I have a client system, both linux and windows that has a valid ticket
> (TGT) in its cache.  I take that ASN.1 encoded ticket and move it to
> another machine which then wants to know if the client machine has an
> authorized user.  What I want to do is to validate that ticket.  Is
> there anything that would return authorized, expired, invalid, etc. when
> I present the ticket to the KDC?

Er, if you want to authenticate a client to another machine, you need to
either use GSSAPI or use krb5_mk_req and friends.

> Or is there any way to take that ASN.1 encoded ticket (client machine)
> and stick it into the cache (on the other machine) and then use that to
> perform the TGS exchange (on the other machine)?

Yes, you authenticate to the other machine and then do ticket forwarding.
The preferred way to do this is via GSSAPI, using GSSAPI's privilege
delegation capability.

Russ Allbery (rra at             <>

More information about the krbdev mailing list