One Kerberos Ticket on several hosts?

Anahaym 486 Reputation points


we have implemented ATP and now we are getting warnings, that one Kerberos Ticket of one employee was used on two machines. It is ok?

Alert Description: An actor took employee's Kerberos ticket from TS-Server and used it on 2 computers to access 1 resource.
{"$id":"23","IsValid":false,"Type":"DomainResourceIdentifier","ResourceName":"ldap/dc.domain.local"},{"$id":"24","IsValid":false,"Type":"ResourceAccessInfo","IpAddress":"","Time":"04/27/2022 08:57:38"}
{"$id":"25","IsValid":false,"Type":"DomainResourceIdentifier","ResourceName":"ldap/dc.domain.local"},{"$id":"26","IsValid":false,"Type":"ResourceAccessInfo","IpAddress":"","Time":"04/28/2022 07:59:06"},

important notice: TS-Server has several IP-Adresses (bindet to a user), so 100.174 and 100.171 is the same TS-Server. We also have another TS-Server with serveral IPs too, that's why I'm asking whether Kerberos Ticket is the same on all machines?

Thank you in advance!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,629 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,400 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,781 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,511 Reputation points

    Hello @Anahaym

    In fact the ticket will be different based on the network. For example, during the request for TGT the client sends a plaintext message to the authentication server. This message contains:

    -the name of the requested service (in this case this is the Ticket Granting Server – TGS);
    -the network address;
    -the requested lifetime of the TGT.

    After verifying different information, the server generates a random key called the session key that is to be used between the client and the TGS.

    The authentication server then sends back two messages to the client:

    • Message A is encrypted with the client secret key. The client secret key is not transferred but is retrieved from the password (more to speak the hash) found in the user database. This happens all on the server side. The message contains:
      TGS name;
      the TGS session key (the key generated in the beginning of this step).
    • Message B is the Ticket Granting Ticket, encrypted with the TGS secret key, that contains
      your name;
      the TGS name;
      your network address;
      the TGS session key (same as in message A).

    Hope this helps with your query,


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Anahaym 486 Reputation points

    Hello LimitlessTechnology-2700,

    If the ticket is always different, why then we are getting message, that the same ticket is used from different IP adresses?

    0 comments No comments