Initial Logon

Initial logon is the process by which a user first authenticates to the KDC. The client engages in an AS exchange (see section 1.3.2) with the KDC, using domain password or smartcard authentication and receives a TGT and session key. The TGT and session key are then used in subsequent protocol exchanges with the KDC in requesting service tickets.

The client SHOULD request a service ticket to its own workstation during initial logon from the KDC because the service ticket contains information about the logged on user contained in the user's PAC within the service ticket. The client can use the information in that PAC for access control purposes.

Standard Kerberos requires that the user principal name (UPN) refers to a valid domain the KDC defines (for example, user@windows.example.com). KILE SHOULD allow authentication with valid Active Directory DS UPNs ([MS-ADTS] section