Overview #The Ticket-Granting Service Request/Response (TGS-REQ-REP) exchange is the Kerberos Service Ticket request and response messages that are exchanged between the KDC and the client when the client is instructed to obtain a Service Ticket for a server.
How it works#When the TGS receives a request, it will read the ticket contained in the request, and will validate it. If the ticket has been issued by the AS, then the TGS has the AS secret key and can decrypt the ticket, otherwise it's potentially a forged ticket, and it will be discarded.
The TGS will then generate a Service Ticket for the targeted SP, and encrypt the ticket using the SP TGS Session Key, then encapsulate this encrypted ticket into a response which will be itself encrypted using the client's TGS Session Key.
The client will receive this response, decrypt the response, and extract the encrypted ticket. The client will then send this encrypted ticket to the targeted service, which will be able to decrypt it and validate it.
Of course, in the mean time, many checks will be done relative to the ticket validity, so one can be assured that the service is only accessible by those with the credential to do so.