Client/server (CS) Exchange

Once a user has a ticket to a server, the workstation client can establish a secure communications session with that server. This is done using the following steps.

1. The client sends the server a message of type KRB_AP_REQ (Kerberos Application Request). This message contains an authenticator message encrypted with the key sent by the KDC for the session with the server. the ticket for sessions with the server, and a flag indicating whether the client requests mutual authentication. Setting of the flag requesting mutual authentication is one of the options in configuring Kerberos. The user is never asked whether mutual authentication should be used or not.
2. The server receives KRB_AP_REQ, decrypts the ticket, and extracts user's authorization data and the session key.
3. The server uses the session key from the ticket to decrypt the user's authenticator message and evaluates the timestamp inside.
4. If the authenticator message is valid, the server checks the mutual authentication flag in the client's request.
5. If the mutual authentication flag is set, the server uses the session key to encrypt the time from the user's authenticator message and returns the result in a message of type KRB_AP_REP (Kerberos Application Reply).
6. When the client receives KRB_AP_REP, it decrypts the server's authenticator message with the session key it shares with the server, and compares the time sent back by the service with the time in its original authenticator message. If they match, the client is assured that the service is genuine, and the connection proceeds.