# Authentication ![](https://308507326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6twoQL4uXTWwvk3lNMue%2Fuploads%2FD9UGfdfi8g6LpcSEGbgT%2Fkerberos-diagram.png?alt=media\&token=d763bf2d-6e0c-4721-8e8b-3ac9973fe4e1) 1. A principal sends an authentication server request (known as AS\_REQ) to the DC. 2. If authentication succeeds, then the DC sends back a reply (AS\_REP) to the principal. In this reply is a ticket that gives the principal permission to request access to resources on the network. This ticket is called the Ticket Granting Ticket (TGT). The TGT only proves that the principal has successfully authenticated on the network and provides access to one service – the Ticket Granting Service (TGS). 3. When the principal wants to request resources on a Kerberos-enabled service, it first must request a ticket to access that specific resource from the TGS. This TGS Request (TGS\_REQ) is sent to the TGS, hosted on the DC. 4. The TGS then verifies the TGT and accepts that the principal has been given access to the requested resource presented in the TGS request. If everything checks out, then the TGS sends a reply (TGS\_REP) back to the principal with a secret key inside called the session key. The session key is used to encrypt messages between the principal and the service for which it is requesting resources. 5. Once the principal receives the TGS\_REP, it can then request access to the network resource from the service. This is done through an Application Request (AP\_REQ) to the service that is secured with the session key provided in the TGS\_REP. 6. Once the service receives the AP\_REQ, it verifies that the request is valid by decrypting the message from the principal. Successful decryption is enough to validate the request. If everything checks out, then the service allows access to the requested resources and sends a reply (AP\_REP). ![](https://308507326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6twoQL4uXTWwvk3lNMue%2Fuploads%2FpMVSg9RUXxKDAjHWBB8Y%2Fkerberos-auth.png?alt=media\&token=46057dad-e45c-4a49-9018-afc29561972c) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/red-teaming/kerberos/authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.