A Ticket Granting Ticket is the Kerberos token used to request service tickets after the initial authentication step. In a Golden Ticket attack, the attacker forges this token so the directory accepts an identity and authorisation decision that was never legitimately issued.
Expanded Definition
A Ticket Granting Ticket, or TGT, is the Kerberos credential that proves a principal has already authenticated and can now request service tickets without re-entering a password or key. In NHI security, it is a high-value authentication artifact, not a general access token.
Kerberos remains relevant in enterprise directories, legacy infrastructure, and hybrid environments where authentication is centralized and ticket-based. The TGT is issued by the Key Distribution Center after initial verification and is then presented to obtain access to specific services. That distinction matters: a TGT does not directly grant every permission, but it becomes the bridge to everything that follows. Definitions vary across vendors when the term is discussed alongside federation, SSO, or modern token services, so practitioners should keep the Kerberos-specific meaning intact and avoid collapsing it into any generic session token. For broader identity governance context, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.
The most common misapplication is treating a TGT like an ordinary application session, which occurs when teams ignore its directory trust implications and fail to monitor where it can be forged, cached, or reused.
Examples and Use Cases
Implementing Kerberos carefully often introduces operational complexity, requiring organisations to balance seamless single sign-on against tighter ticket lifetimes, stronger monitoring, and more careful key protection.
- A Windows domain controller issues a TGT after successful authentication, and the workstation uses that ticket to request file server or database service tickets without exposing credentials again.
- A service account in an automated job authenticates once and receives a TGT, then repeatedly obtains short-lived service tickets for scheduled tasks. This is efficient, but it also expands the impact of stolen ticket material if the account is overprivileged.
- During incident response, defenders review anomalous ticket activity and compare it to normal lifecycle behavior described in the Ultimate Guide to NHIs to determine whether the TGT was legitimately issued or forged.
- A security team aligns Kerberos hardening with the NIST Cybersecurity Framework 2.0 by enforcing better access control, logging, and authentication monitoring around directory services.
- In a hybrid environment, an agent or workload may authenticate to an enterprise directory, receive a TGT, and then access downstream services through delegated trust, making ticket scope and lifetime critical governance variables.
Why It Matters in NHI Security
TGTs sit at the centre of directory trust, which makes them a prime target for attackers who want durable, low-noise access. If a TGT is forged or stolen, the issue is not merely credential exposure; it becomes an identity integrity failure that can let an attacker impersonate a legitimate principal and request additional tickets inside the domain.
This is why Kerberos ticket governance belongs in broader NHI programmes. The Ultimate Guide to NHIs notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring how often authentication artifacts become the entry point. Teams that already use the NIST Cybersecurity Framework 2.0 can map TGT protection to access control, detection, and response outcomes, especially where privileged service accounts depend on directory trust. Practitioners should also treat TGT handling as part of secret and session hygiene, not as a narrow Windows-only concern.
Organisations typically encounter the operational impact only after lateral movement or domain compromise is detected, at which point the Ticket Granting Ticket becomes operationally unavoidable to investigate and contain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers misuse of NHI auth artifacts and ticket-based trust abuse. |
| NIST CSF 2.0 | PR.AC-1 | Addresses identity proofing and access control for directory-authenticated sessions. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification beyond a single ticket grant. |
Tie TGT issuance and monitoring to access-control logging and least-privilege reviews.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 29, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
