Kerberos ticket exchange sequence.         Authentication procedure: 1. A client sends the user principal (kerberos account) name to the KDC. 2. The KDC (AS) responds with a pre-authentication request. 3. The client sends the client's principal and the time stamp, encrypted with the user's key (password hash). 4. The KDC (AS) sends:   the Ticket Granting Ticket (TGT), encrypted with the TGS key   and a client/TGS session key, encrypted with the user's key. The client decrypts the session key and caches the TGT. The TGT includes the TGS copy of the client/TGS session key, client principal, ticket lifetime, KDC timestamp, client IP address. Kerberized services request procedure: 5. The client sends to KDC (TGS):   TGT   Authenticator: client principal and the time stamp, encrypted with with the client/TGS session key   desired service principal name. 6. KDC (TGS) validates the TGT and the Authenticator, then sends the following to the client:   Service ticket, encrypted with the Server key. The Service ticket includes client/Server session key, client principal, ticket lifetime, KDC timestamp, client IP address.   client/Server session key, encrypted with the client/TGS session key. 7. The client sends the following to the application server:   the Service ticket   Authenticator (the client principal and time stamp encrypted with the client/Server session key). 8. The application server decrypts the Service ticket with its key stored in the keytab, /etc/krb5.keytab, validates the authenticator and sends a confirmation (client time stamp + 1), encrypted with the client/Server session key. 9. The client decrypts the confirmation by the client/Server session key and checks whether the timestamp is correctly updated. If so, the client starts issuing service requests.