- Ticket Granting Ticket (TGT): An authentication ticket that can be used to request service tickets for specific domain services from the ticket granting service.
- Key Distribution Center (KDC): A domain service that issues tickets; typically composed of the ticket granting service and the authentication service.
- Authentication Service (AS): Issues ticket granting tickets. (Presumably in charge of authenticating users and automations.)
- Ticket Granting Service (TGS): Issues tickets for domain services (and machines?) when presented with a ticket granting ticket. (Presumably in charge of authorizing users and automations.)
- Service Principal Name (SPN): A service identifier. On Windows, SPNs associates a particular service instance with a domain account. All services must have a domain service account. (But it sounds like services might be associated with multiple accounts via multiple principal names assigned to multiple running instances?)
- KDC Long Term Secret Key (KDC LT Key): A secret key used to encrypt ticket granting tickets and sign privilege attribute certificates. This is the NT hash of the KRBTGT service account.
- Service Long Term Secret Key (Service LT Key): A secret key associated with a particular service. Used to encrypt the service portion of a service ticket and sign privilege attribute certificates. Held by individual domain service accounts.
- Session Key: Issued with a ticket to identify a particular user session. Services expects both a ticket and a session key to be present before acting on a user’s behalf.
- Privilege Attribute Certificate (PAC): A bundle of the user’s identifying information, which is provided along with the tickets. Importantly, this contains the user’s username and (on Windows) SID.
Note that Active Directory bundles the authentication service, ticket granting service, and KDC into a single “domain controller” role. Non-Windows Kerberos implementations are more likely to separate these roles between different servers.