<P> The client authenticates itself to the Authentication Server (AS) which forwards the username to a key distribution center (KDC). The KDC issues a ticket - granting ticket (TGT), which is time stamped and encrypts it using the TGS's secret key and returns the encrypted result to the user's workstation . This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user's session manager while they are logged in . </P> <P> When the client needs to communicate with another node ("principal" in Kerberos parlance) to some service on that node the client sends the TGT to the ticket - granting service (TGS), which usually shares the same host as the KDC . Service must be registered at TGT with a Service Principal Name (SPN). The client uses the SPN to request access to this service . After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues ticket and session keys to the client . The client then sends the ticket to the service server (SS) along with its service request . </P> <P> The protocol is described in detail below . </P> <Ol> <Li> A user enters a username and password on the client machine (s). Other credential mechanisms like pkinit (RFC 4556) allow for the use of public keys in place of a password . </Li> <Li> The client transforms the password into the key of a symmetric cipher . This either uses the built - in key scheduling, or a one - way hash, depending on the cipher - suite used . </Li> </Ol>

What is the kerberos version used in windows 2008