Skip to content


1. How it work


  • The user authenticates to the kerberos server (usually the DC)

  • The DC sends a TGT that says "I certify that this is who he says he is".

  • The user requests a TGS from the service he wants with his TGT

  • The service checks that he has the right to access, if yes it sends him a TGS

  • The user uses his TGS to access the service

The TGT is signed with the NT of the krbtgt account

The TGS is signed with the NT of the machine account