/ˌtiː-dʒi-ˈtiː/
n. “A master pass that lets you ask for other passes.”
TGT, or Ticket Granting Ticket, is a foundational element of the Kerberos authentication protocol. It is a temporary, cryptographically protected credential issued to a user or service after successful initial authentication. Once obtained, a TGT allows the holder to request access to other services without re-entering credentials.
The TGT is issued by the Authentication Service (AS), which operates as part of the KDC. When a user logs in, their credentials are verified, and if valid, the AS returns a TGT encrypted with the KDC’s secret key. Because only the KDC can decrypt and validate it, the TGT becomes a trusted proof of identity.
What makes the TGT powerful is what it enables next. Instead of authenticating repeatedly with passwords, the client presents the TGT to the TGS whenever it needs access to a specific service. The TGS validates the TGT and issues a service ticket appropriate for that resource. This mechanism is the backbone of single sign-on.
Security constraints are tightly woven into the TGT. It has a limited lifetime, is bound to a specific client, and includes timestamps to prevent replay attacks. Even if intercepted, its usefulness is sharply limited. Additionally, because the user’s password is never sent across the network after initial authentication, exposure risk is dramatically reduced.
In enterprise environments such as those using Active Directory, the TGT is acquired at login and cached locally. As long as it remains valid, users can access file shares, directory services, databases, and internal applications without repeated prompts. When it expires, re-authentication is required, renewing the trust chain.
It is important to understand what a TGT is not. It does not grant direct access to services. It cannot be presented to a file server or application on its own. Its sole purpose is to authorize the issuance of other tickets by the TGS.
Conceptually, the TGT represents delegated trust. You prove who you are once, receive a time-limited credential, and use that credential to safely navigate a network of services. Without the TGT, Kerberos would collapse back into repeated logins and exposed secrets.
The TGT is quiet, invisible to most users, and absolutely essential. It is the keystone that allows Kerberos to be secure, efficient, and humane in large, complex systems.