Skip to main content

7.3. Name of the TGS

Overview

The Ticket-Granting Service (TGS) has a special principal name format in Kerberos.

TGS Principal Name

Format

Service: krbtgt
Instance: Target realm name
Realm: Service realm

Examples

Local TGS

Principal: krbtgt/REALM@REALM
Example: krbtgt/[email protected]
Used for obtaining service tickets within the same realm

Cross-Realm TGS

Principal: krbtgt/TARGET-REALM@SOURCE-REALM
Example: krbtgt/[email protected]
Used for cross-realm authentication
Inter-realm key shared between realms

Usage

Identifies TGS in ticket requests
TGT is ticket for the TGS principal
Cross-realm navigation uses intermediate TGS principals
Special handling in KDC

Security Considerations

TGS principal keys are highly sensitive
Compromise allows ticket forgery
Cross-realm keys establish trust relationships
Key management critical for security

Reference

For complete specification, refer to RFC 4120 Section 7.3.

Overview
TGS Principal Name
- Format
- Examples
Usage
Security Considerations
Reference