Getting a Kerberos TGT is the first step in authenticating to the domain and using services on the network. The Kerberos KDC on the domain controller and the Kerberos security support provider (SSP) on the client collaborate to authenticate and authorize the user so he can then take advantage of services throughout the network.
The process of obtaining a TGT and a session key to the computer to which you are logging on completes successfully before you ever see the desktop.
Before you can trade credentials with the KDC, you must find one on the network. The client uses the local DNS resolver to query the configured DNS server for the SRV record for a DNS server in its site. This ensures that ...