Kerberos uses the credentials in a Ticket Granting Ticket (TGT) to verify the identity of users and control access to services. Depending on your environment, you will need to establish a procedure for obtaining a TGT.

If an application uses Kerberos authentication from a Windows client and Kerberos authentication is provided by Windows Active Directory, Windows Active Directory automatically obtains a TGT for the user.

In contrast, if Kerberos authentication is provided by MIT Kerberos, you can allow the application to obtain a TGT in one of two ways. First, you can automate the method of obtaining the TGT as with a keytab. Second, you can require the application user to obtain the TGT with a kinit command when logging on.

A TGT can be obtained directly with a kinit command to the Kerberos server. For example, the following command requests a TGT from the server with a lifetime of 10 hours, which is renewable for 5 days.

kinit -l 10h -r 5d user
Note: The klist command can be used on Windows or UNIX/Linux systems to verify that a TGT has been obtained.
Refer to your Kerberos documentation for more information on using a keytab file to automate the process of obtaining a TGT.