The Kerberos protocol is fully integrated with the Windows NT security architecture for authentication and access control. The initial Windows NT domain logon is provided by WinLogon. WinLogon uses the Kerberos security provider to obtain an initial Kerberos ticket. Other operating system components, such as the Redirector, use the SSPI interface to the Kerberos security provider to obtain a session ticket to connect to the SMB server for remote file access.
The Kerberos Version 5 protocol defines an encrypted field in session tickets to carry Authorization Data, but use of the field is left up to the applications. Windows NT uses the Authorization Data in Kerberos tickets to carry Windows NT Security IDs representing the user and group membership. The Kerberos security provider on the server-side of a connection uses the Authorization Data to build a Windows NT security access token representing the user on that system. The server follows the Windows NT security model of impersonating the client, using the access token representing the client, before attempting to access local resources protected by Access Control Lists (ACLs).
Delegation of authentication is supported in the Kerberos Version 5 protocol using proxy and forwarding flags in session tickets. Windows NT uses the delegation feature to allow servers to obtain a another session ticket to connect to remote servers on behalf of the client.