1. Prior to accessing the ProxySG appliance, the user logs into the local domain and obtains a TGT.
2. The user attempts to access a URL that requires authentication; the ProxySG appliance sends a challenge asking for Kerberos credentials.
3. The client workstation obtains a Service Ticket from the KDC:
- The Service Ticket is generated based on the authentication challenge URL.
- The challenge URL identifies the service.
- The challenge URL depends on the authentication mode.
4. The Service Ticket is presented to BCAAA.
5. BCAAA validates the Service Ticket without consulting a DC.
- Validation is performed with Windows SSPI API.
- Security Services Provider Interface, similar to GSSAPI.
- The Service key is the password hash of the BCAAA service user.
- If running as a local system, this is the machine account password.