4.2 Network Logon
Figure 3: Network Logon
This may cause steps 1 to 4 (section 4.1) to be repeated if there are new credentials supplied. It may also cause steps 3 and 4 (section 4.1) to be repeated if the server has not previously cached a ticket for the client.
Step 5: When the service ticket to the application server is obtained, the client authenticates itself to the server by sending an AP-REQ wrapped in Generic Security Services (GSS) formatting (section 3.4 and [RFC1964]).
Invoking the Kerberos runtime to authenticate a session is typically done through the SSPI API. Higher-level constructs, for example, remote file access, can also trigger the connection. After the server-side Kerberos runtime validates the ticket and authenticator, it makes the authorization data from the ticket available to the service, typically through a Windows-specific object that is known as an access token, which is used with the Windows system-provided authorization functions.