>Since the service ticket contains the session key encrypted with the >service key, and the service knows its key via the keytab file, the >service is able to decrypt the ticket, get the session key, decrypt the >remaining part of the authenticator, and compare the identity encrypted >with the session key with the identity embedded in the ticket service, >enabling it to authenticate the client. > >All of this without the service contacting the KDC. That is the most >important point. > >Am I right ?
Yes. --Ken