After the client has received the initial authentication, each subsequent authentication follows the pattern that is shown in the following figure.
Figure 2-2 Obtaining Access to a Service Using Kerberos Authentication
The client requests a ticket for a particular service, for example, to log in remotely to another machine, from the KDC by sending the KDC its ticket-granting ticket as proof of identity.
The KDC sends the ticket for the specific service to the client.
Suppose user jdoe wants to access an NFS file system that has been shared with krb5 authentication required. Because jdoe is already authenticated (that is, jdoe already has a ticket-granting ticket), as jdoe attempts to access the files, the NFS client system automatically and transparently obtains a ticket from the KDC for the NFS service. To use a different Kerberized service, jdoe obtains another ticket, as in Step 1.
The client sends the ticket to the server.
When using the NFS service, the NFS client automatically and transparently sends the ticket for the NFS service to the NFS server.
The server allows the client access.
Although these steps imply that the server never communicates with the KDC, the server does register itself with the KDC, just as the first client does. For simplicity's sake, that section has been omitted.