A Kerberos credential that proves the user has already authenticated and can request service tickets without re-entering credentials. In delegation scenarios, it becomes valuable because a service may store it in memory, making it a target for attackers who compromise the host.
Expanded Definition
A Kerberos Ticket-Granting Ticket, or TGT, is the reusable proof that a principal has already authenticated to the Key Distribution Center and can ask for service tickets without sending the original credential again. In NHI operations, that makes it a high-value artifact rather than a simple session token.
Definitions vary across vendors when Kerberos is used alongside modern SSO, delegation, or hybrid identity systems, but the core security meaning is stable: a TGT is the credential that enables onward ticketing. For operators, the key distinction is between the TGT itself and the downstream service ticket it helps mint. Because TGTs can live in memory, caches, or delegated workflows, they sit at the intersection of authentication, session control, and host compromise risk. This is why identity programs that study service account exposure in the Ultimate Guide to NHIs treat Kerberos artifacts as part of the broader secret and credential lifecycle, not as a narrow protocol detail. The closest standards lens is the trust model described in NIST Cybersecurity Framework 2.0, especially where identity assurance and access enforcement intersect.
The most common misapplication is treating a TGT as harmless session state, which occurs when teams ignore its persistence in memory on compromised hosts.
Examples and Use Cases
Implementing Kerberos ticket handling rigorously often introduces operational friction, requiring organisations to weigh seamless delegation against tighter monitoring and shorter session exposure.
- A domain-joined application uses a user’s TGT to request a service ticket for file access, allowing single sign-on without repeated password prompts.
- A service with constrained delegation receives a delegated TGT-like context to act on behalf of a user, which expands blast radius if the host is compromised.
- A workstation compromise leads defenders to inspect cached tickets and ticket lifetimes because attackers may reuse the TGT to move laterally.
- A directory services team aligns ticket issuance, renewal, and log review with identity governance practices described in the Ultimate Guide to NHIs, while validating authentication assurance concepts against NIST Cybersecurity Framework 2.0.
- A security engineer shortens ticket lifetimes during an incident to reduce reuse opportunities, accepting more frequent reauthentication and support load.
These use cases show why Kerberos is still central in enterprise identity even as NHI programs broaden toward API keys, certificates, and workload identities.
Why It Matters in NHI Security
Kerberos TGTs matter because they convert one successful authentication event into a reusable access capability. When a host is compromised, the attacker does not need the original password if the TGT can be harvested from memory or a ticket cache. That is why the security discussion is not just about protocol correctness but about endpoint hardening, privilege containment, and credential hygiene across the whole identity lifecycle.
NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and the same pattern of stored credential abuse applies when Kerberos tickets are exposed on servers or jump hosts. In practice, ticket abuse becomes easier when service accounts are over-privileged, renewal windows are too long, or delegation paths are poorly understood, issues that also undermine Zero Trust programs described in Ultimate Guide to NHIs and the access governance model in NIST Cybersecurity Framework 2.0.
Organisations typically encounter the operational impact only after a workstation, server, or delegated service is breached, at which point the TGT becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and credential exposure risks, including reusable tickets and cached auth artifacts. |
| NIST CSF 2.0 | PR.AA-01 | Addresses identity assurance and authentication processes that govern ticket issuance and reuse. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Zero Trust requires continuous verification even when Kerberos has already authenticated a principal. |
Inventory, protect, and rotate Kerberos-related credentials and monitor host memory exposure.
