The above diagram illustrates the CAC/KCD logical authorization process:

  1. A client attempts to access an ESP-protected service using CAC credentials.
  2. The LoadMaster verifies that the credentials are still valid with a trusted OCSP responder.
  3. After mapping the SAN which contains the client User Principal Name (UPN) in Active Directory, the LoadMaster obtains a service ticket for the user and obtains a service ticket for the application.
  4. The LoadMaster forwards the user’s service ticket to the desired service.
  5. The LoadMaster passes the response to the client who gains access to the application/service.