Hello LimitlessTechnology-2700,
If the ticket is always different, why then we are getting message, that the same ticket is used from different IP adresses?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
we have implemented ATP and now we are getting warnings, that one Kerberos Ticket of one employee was used on two machines. It is ok?
Alert Description: An actor took employee's Kerberos ticket from TS-Server and used it on 2 computers to access 1 resource.
{"$id":"23","IsValid":false,"Type":"DomainResourceIdentifier","ResourceName":"ldap/dc.domain.local"},{"$id":"24","IsValid":false,"Type":"ResourceAccessInfo","IpAddress":"192.168.100.174","Time":"04/27/2022 08:57:38"}
{"$id":"25","IsValid":false,"Type":"DomainResourceIdentifier","ResourceName":"ldap/dc.domain.local"},{"$id":"26","IsValid":false,"Type":"ResourceAccessInfo","IpAddress":"192.168.100.171","Time":"04/28/2022 07:59:06"},
important notice: TS-Server has several IP-Adresses (bindet to a user), so 100.174 and 100.171 is the same TS-Server. We also have another TS-Server with serveral IPs too, that's why I'm asking whether Kerberos Ticket is the same on all machines?
Thank you in advance!
Hello LimitlessTechnology-2700,
If the ticket is always different, why then we are getting message, that the same ticket is used from different IP adresses?
Hello @Anahaym
In fact the ticket will be different based on the network. For example, during the request for TGT the client sends a plaintext message to the authentication server. This message contains:
-username;
-the name of the requested service (in this case this is the Ticket Granting Server – TGS);
-the network address;
-the requested lifetime of the TGT.
After verifying different information, the server generates a random key called the session key that is to be used between the client and the TGS.
The authentication server then sends back two messages to the client:
Hope this helps with your query,
-----------------
--If the reply is helpful, please Upvote and Accept as answer--