Kerberos ticket exchange for authentication 1. A client sends the user principal (kerberos account) name to the KDC. 2. The KDC responds with a pre-authentication request. 3. The client sends the time stamp, encrypted with the user's key (password hash). 4. The KDC sends the Ticket Granting Ticket (TGT), encrypted with the TGS key and the session key, encrypted with the user's key. The client decrypts the session key and caches the TGT. 5. The client sends TGT, authenticator (encrypted time stamp), and desired service principal name to KDC 6. KDC validates TGT and the authenticator. Service ticket and service session key are returned to the client, encrypted with the session key from AS Reply. 7. The client sends the service ticket and authenticator (time stamp encrypted with the service session key) to the application server. 8. The application server decrypts the ticket with its key stored in the keytab, /etc/krb5.keytab, validates the authenticator and sends a confirmation (client time stamp + 1), encrypted with the service session key. 9. The client decrypts the confirmation by the service session key and checks whether the timestamp is correctly updated. If so, the client starts issuing service requests.