APPENDIX A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options

The Kerberos Ticket Options field in security events 4768, 4771, 4769, and 4770 contains a bitmask with Kerberos ticket flags that were received by a Key Distribution Center (KDC) in the AS_REQ, TGS_REQ, or AP_REQ message.

The Ticket Options field is recorded in events in hexadecimal format, for example, 0x40810010. To find which flags are enabled you need to convert the hexadecimal number to binary. For example:

0x40810010 = 01000000100000010000000000010000

Ticket flag bitmasks use the Most Significant Bit (MSB) 0-bit numbering format, in which bits are numbered from left to right starting from the 0 bit. So, in the preceding example bits 1, 8, 15, and 27 are enabled.

Table A-1 contains information about possible ticket flags you can find in Kerberos AS_REQ, TGS_REQ, or AP_REQ messages, as well as corresponding bits for the Ticket Options field.

Table A-1: Kerberos Ticket Flags

BIT NAME DESCRIPTION
0 Reserved Reserved for future use.
1 Forwardable Tells the ticket-granting service (part of a KDC role in Windows) that it can issue a new TGT based on the presented TGT with a different network address.
2 Forwarded Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.
3 Proxiable Tells the ticket-granting service (part of a KDC role in Windows) that it can issue tickets with a network address that differs from the one in the TGT.
4 Proxy Indicates ...

Get Windows Security Monitoring now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial