Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Kerberos Tickets and How They Work

Kerberos allows a client (you) to exchange private information with a server across an otherwise open network. A unique key, called a ticket, is assigned to each person that authenticates to the network using his or her PennKey and password with special ticket management software. The ticket instead of your PennKey and password is embedded in messages and identifies you to various Kerberized services on campus when you attempt to connect to them. Your PennKey and password are never sent across the network.

Types of Tickets

You receive two types of tickets that help identify you.

  • Ticket-granting ticket (TGT). When you use your PennKey and password to log into the Kerberos ticket manager installed on your computer, you receive a ticket-granting ticket (TGT) from a central Key Distribution Center (KDC). The TGT acts as a master ID that identifies you to all the various Kerberized services on campus.

  • Service ticket. When you attempt to connect to a specific service (e.g., IMAP email), on a server that employs Kerberos for authentication, the service wants to know that you are who you say you are. To that end, your Kerberos-capable client software (e.g., Eudora) presents the ticket that was issued by the KDC, much as one might present a government-issued photo ID at airport check-in. The service first examines the ticket to verify your identity, and then checks to see if you are authorized to use the service. If everything checks out, you are authenticated and presented with a Service Ticket.

Ticket Duration and Destroying Tickets

You should also understand how long tickets are good for and how to inactivate them so you do not inadvertently leave tickets (and your accounts) available for others to use.

  • TGT. At Penn, TGTs last up to 10 hours. Thus if you get a Kerberos ticket at 9:00 AM, you can continue to communicate with Kerberized services and hosts until 7:00 PM without re-authenticating to the KDC.

    Your TGT is destroyed if you reboot your computer; you will need to log into the Kerberos ticket manager every time you start your computer. Your TGT is NOT destroyed when you exit the ticket manager, so it's VERY IMPORTANT to always destroy your ticket when you leave your work area.

  • Service Ticket. The service ticket’s length varies according to host and server. As with the TGT (see above), your service ticket is not destrored when you exit the ticket manager, so it is critical to always destroy your ticket before your leave your workstation unattended.

    Destroying tickets in current Kerberos ticket managers is an "all-or-nothing" action: When you instruct a ticket manager to destroy tickets, it will destroy all services tickets along with the TGT.


In summary, as long as you have a valid TGT, you can re-authenticate and receive a new service ticket for any service you are authorized to use on any host on campus. (This is what is meant by single sign-on.) It's very important to destroy all tickets from within the Kerberos ticket manager any time you leave your work area. In order to prevent subsequent unauthorized access from your computer by another person, you must also exit or quit all client applications you have been using to access Kerberized services.



Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania