AP_REP is generated when the previous AP_REQ arrives, the Kerberos Authentication Service checks whether PrincipalClient and PrincipalService exist in the KDC database: if at least one of the two does not exist an error message is sent to the client, otherwise the Authentication Server processes the reply as follows:

Kerberos Authentication Service randomly creates a Session Key which will be the secret shared between the client and the TGS.

Kerberos Authentication Service creates the Ticket Granting Ticket putting inside it the requesting user’s principal, the service principal (it is generally KRBTGT/REALM@REALM, but read the note* for the previous paragraph), the IP Address list (these first three pieces of information are copied as they arrive by the AS_REQ packet), date and time (of the KDC) in timestamp format, lifetime (see note*) and lastly the session key.

Kerberos Authentication Service generates and sends the reply containing: the ticket created previously, encrypted using the secret key for the service, the service principal, timestamp, lifetime and Session Key all encrypted using the Secret-key for the user requesting the service.

More Information#

There might be more information for this subject on one of the following: