General

Active Directory members using Kerberos authentication are assigned a credential cache file to contain their requested Kerberos tickets. The file’s location is set through the user’s KRB5CCNAME environment variable.

env | grep KRB5CCNAME

KRB5CCNAME=FILE:/tmp/krb5cc_607000500_3aeIA5

Acquire a Kerberos ticket-granting ticket (TGT) for the current user

kinit

List tickets currently stored in the user’s credential cache file

klist

Get a list of available Service Principal Names (SPN) from the domain controller using ldapsearch with the -Y GSSAPI parameter to force it to use Kerberos authentication. It may ask for an LDAP password, but if we just hit enter at the prompt, it will continue and use Kerberos for authentication.

ldapsearch -Y GSSAPI -H ldap://dc01.corp1.com -D "[email protected]" -W -b "dc=corp1,dc=com" "servicePrincipalName=*" servicePrincipalName

Let’s request a service ticket from Kerberos for the MSSQL SPN highlighted above. We can do this using the kvno utility.

kvno MSSQLSvc/DC01.corp1.com:1433

We can now access the MSSQL service and perform authenticated actions

Last updated 1 year ago