Microsoft describes the communication steps to receive a TGS as follows:
- client asks Kerberos DC for Ticket Granting Ticket
- client receives TGT (if authenticated successfully)
- client asks KDC for Ticket Granting Service, to get access to a certain platform
- client receives TGS (if TGT was valid)
- client accesses the platform and offers the TGS
- platform grants access (if the token is accepted)
I wonder how the client could ask for a certain TGS in the first place before the user hasn’t even tried to access the destination platform? Or is this user step just omitted in the above given illustration?