Blogs

Kerberos is everywhere in Active Directory, but most beginners find it confusing. In this post, we’ll strip it down to the basics. 💡This will be an series of posts, this is just part 1. Whenever a domain-joined user tries to log in, the request is sent to the KDC

In the previous post, we explored the AS-REQ and AS-REP messages, where the client obtained its Ticket Granting Ticket (TGT). In this article, we’ll dive into the next step: Service Tickets. You’ll learn how they’re requested, how the KDC responds with a ticket , and how the client

In the previous post, we covered how the client receives a Service Ticket in the TGS-REP. With this ticket in hand, the client can now authenticate to the specific service it was issued for. The service, in turn, can decrypt the Service Ticket using its own long-term key and verify

In the previous posts we saw how clients obtain a TGT and Service tickets, each of which can include an authorization-data field. In this article we’ll unpack that field and the PAC (Privilege Attribute Certificate) it often contains. You’ll learn what the PAC holds, how it’s carried