A method of providing a client with a privileged access ticket (PAT) to access a target service is performed at a credentials management service (CMS) in communication with a client and an authentication service. The CMS receives a privileged access ticket request from the client. The PAT request uses authentication credentials. The CMS retrieves privileged credentials using the authentication credentials, and sends a PAT request to the authentication service using the privileged credentials. When the PAT is received, the CMS forwards the PAT to the client. Optionally, in order to acquire a PAT the CMS sends a privileged provisioning ticket (PPT) request using the privileged credentials to the authentication service, and, after the PPT is received, requests the PAT from the authentication service using the PPT.