Kerberos SSP/AP
The Kerberos authentication package is used when logging on to a network; local logons are handled by MSV1_0.
When a user logs on using a network account, by default, Kerberos attempts to connect to the Kerberos Key Distribution Center (KDC) on the domain controller and obtain a ticket granting ticket (TGT) by using the logon data supplied by the user.
If a Kerberos KDC is not available, Windows uses MSV1_0 and pass-through authentication as described in MSV1_0 Authentication Package.
The Kerberos authentication package supports version 5, revision 6 of the Kerberos protocol. This protocol is based on Internet RFC 4120. For more information, see the IETF website:
For more information about Kerberos, see Microsoft Kerberos.
Kerberos Credential Formats
The user credentials assigned by the Kerberos authentication package after a successful logon attempt are a ticket and a temporary encryption key, often called a session key. The ticket contains both an encrypted copy of the client's credentials and the session key.