Each step of Kerberos authentication employs cryptography to protect packets from being altered or read and provide mutual authentication. A client requests a ticket for a user from the KDC, using the user’s password to encrypt the request. If the KDC can decrypt the request with the user’s password it has stored, it knows the client has supplied the correct password for the user. The KDC creates a ticket granting ticket (TGT) for the user, encrypts it with the user’s password, and returns it to the client. If the client can decrypt that ticket with the user’s password, it knows that the KDC is legitimate.
A client requests a ticket for a service from the KDC by presenting its TGT and a ticket-granting service (TGS) request that includes the service principal name for the service it would like to access. The KDC creates a service ticket (TGS) that is encrypted with the service’s password hash (TGS secret key), encrypts the ticket and authenticator message with the shared ticket-granting service session key, and finally sends the TGS back to the client.
A client requests access to an application server (service) by presenting the service ticket it obtained from the KDC to the application server, which decrypts the message using its own password hash. If it successfully decrypts the TGS, the application server grants access to the client.