APPENDIX A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options
The Kerberos
field in security events 4768, 4771, 4769, and 4770 contains a bitmask with Kerberos ticket flags that were received by a Key Distribution Center (KDC) in the AS_REQ, TGS_REQ, or AP_REQ message.Ticket Options
The
field is recorded in events in hexadecimal format, for example, Ticket Options
. To find which flags are enabled you need to convert the hexadecimal number to binary. For example:0x40810010
0x40810010 = 01000000100000010000000000010000
Ticket flag bitmasks use the Most Significant Bit (MSB) 0-bit numbering format, in which bits are numbered from left to right starting from the 0 bit. So, in the preceding example bits 1, 8, 15, and 27 are enabled.
Table A-1 contains information about possible ticket flags you can find in Kerberos AS_REQ, TGS_REQ, or AP_REQ messages, as well as corresponding bits for the
field.Ticket Options
Table A-1: Kerberos Ticket Flags
BIT | NAME | DESCRIPTION |
|
|
Reserved for future use. |
|
|
Tells the ticket-granting service (part of a KDC role in Windows) that it can issue a new TGT based on the presented TGT with a different network address. |
|
|
Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
|
|
Tells the ticket-granting service (part of a KDC role in Windows) that it can issue tickets with a network address that differs from the one in the TGT. |
|
|
Indicates ... |
Get Windows Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.