566
Part II: Gaining Access and Securing the Gateway
Ticket Flags Each Kerberos ticket contains a set of bit flags that are used to indicate attributes of that ticket. Most flags can be requested by a client when the ticket is obtained. Some are turned on and off automatically by a Kerberos server as required. The following sections explain what the various flags mean, and give examples of reasons to use such a flag. Table 9.1 describes the ticket flags.
Table 9.1 Ticket Flags Bit(s)
Name
Description
0
RESERVED
Reserved for future expansion.
1
FORWARDABLE
This flag tells the Ticket Granting Server that it is OK to issue a new Ticket Granting Ticket with a different network address based on the presented ticket.
2
FORWARDED
This flag indicates that the ticket has either been forwarded or was issued based on authentication involving a forwarded Ticket Granting Ticket.
3
PROXIABLE
The PROXIABLE flag has an interpretation identical to that of the FORWARDABLE flag, except that the PROXIABLE flag tells the Ticket Granting Server that only non-Ticket Granting Tickets may be issued with different network addresses.
4
PROXY
When set, this flag indicates that a ticket is a proxy.
5
MAY-POSTDATE
This flag tells the Ticket Granting Server that a post dated ticket may be issued based on this Ticket Granting Ticket.
6
POSTDATED
This flag indicates that this ticket has been postdated.
7
INVALID
This flag indicates that a ticket must be validated before use.
8
RENEWABLE
A renewable ticket can be used to obtain a replacement ticket that expires at a later date.
9
INITIAL
This flag indicates that this ticket was issued using the Authentication Server protocol, and not issued based on a Ticket Granting Ticket.
p1vPHCP/nhb1
Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4