Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Kerberos Ticket Options

By EventID.Net

Kerberos ticket options as per RFC 4120. The ticket options are stored in a 32 bit variable with the bits set as per the table below.

The most common values are:
- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
- 0x40810000 - Forwardable, Renewable, Canonicalize
- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

BitFlag NameDescription
0Reserved-
1Forwardable(TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.
2ForwardedIndicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.
3Proxiable(TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.
4ProxyIndicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.
5Allow-postdatePostdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
6PostdatedPostdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
7InvalidThis flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.
8RenewableUsed in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.
9InitialIndicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.
10Pre-authentIndicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.
11Opt-hardware-authThis flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.
12Transited-policy-checkedKILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.
13Ok-as-delegateThe KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.
14Request-anonymousKILE not use this flag.
15Name-canonicalizeIn order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.
16Unused-
17Unused-
18Unused-
19Unused-
20Unused-
21Unused-
22Unused-
23Unused-
24Unused-
25Unused-
26Disable-transited-checkBy default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
27Renewable-okThe RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.
28Enc-tkt-in-skeyNo information.
29Unused-
30RenewThe RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.
31ValidateThis option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...