diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


Kerberos Double Hop

Kerberos Double Hop is a term used to describe a method of maintaining the client’s Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers.

Please make sure you read the previous Kerberos for the busy admin post as I will reference terms used in that blog frequently.

The Kerberos TGT is the user’s identity. When we pass this ticket along with the service ticket we can re-use the KrbTGT to request other service tickets to speak with our service resources on our network.

There are requirements for a service to be able to perform Kerberos double hop. The service account needs to be trusted for delegation. Meaning it must be trusted to act upon another user’s behalf. Source and target servers must be in the same forest or there must be a forest level trust between forests and the first level service account must be in the trusted forest root.

How it Works:

Step 1 – Client provides credentials and domain controller returns a Kerberos TGT to the client.
Step 2 – Client uses TGT to request a service ticket to connect to Server 1.
Step 3 – Client connects to Server 1 and provides both TGT and service ticket.
Step 4 – Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .
Step 5 – Server 1 connects to Server 2 using the client’s credentials.

Full Article



Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...