Which Kerberos token is used to obtain access to application servers after initial authentication?

• A. Service Ticket (ST)
• B. Ticket Granting Ticket (TGT)
• C. Access Token
• D. Kerberos Token

Answer: (B)

In Kerberos, the token that actually grants you access to an application server is the Service Ticket issued for that specific service. After you prove your identity to the Kerberos authentication service, you receive a Ticket Granting Ticket that you can use to request service tickets. When you need to access an application server, you use that TGT to ask the Ticket Granting Service for a Service Ticket for the target server. The server then accepts the Service Ticket and grants access based on the details contained in that ticket. The Service Ticket is the credential used for the actual access, and it’s specific to the service and time-limited. The Ticket Granting Ticket isn’t used to access services directly—it’s only a means to obtain those service tickets. An Access Token isn’t part of Kerberos, and “Kerberos Token” isn’t a standard term in the protocol.