When a client process started by the user wishes to access a specific application server, the following steps occur:
1. The client process requests a ticket to access Server A from the Authentication Service. Because this request includes the client's TGT, the Authentication Service knows that the client is who it claims to be and issues the requested ticket.
2. A ticket is granted, allowing the authenticated client to prove its identity to Server A. This new ticket contains, among other things, the client's PAC, extracted from the TGT by the Authentication Service. The ticket can be used for multiple communications between the same client and server until the ticket's lifetime expires; a renewal must then be requested.
3. The client issues a remote procedure call that requests Server A to perform some operation on Object Y. The ticket for Server A is presented along with this request.
4. Server A uses the ticket to verify the client's identity. Server A's ACL Manager then compares the ticket's PAC to Object Y's ACL. If they match, the request is allowed; if they do not match, the request is refused. The authorization decision is made only by Server A; the cell's Security server is not involved.
Figure 12 Requesting a Service