1. Prior to accessing the ProxySG appliance, the user logs into the local domain and obtains a TGT.

2. The user attempts to access a URL that requires authentication; the ProxySG appliance sends a challenge asking for Kerberos credentials.

3. The client workstation obtains a Service Ticket from the KDC:
   - The Service Ticket is generated based on the authentication challenge URL.
   - The challenge URL identifies the service.
   - The challenge URL depends on the authentication mode.

4. The Service Ticket is presented to BCAAA.

5. BCAAA validates the Service Ticket without consulting a DC.
   - Validation is performed with Windows SSPI API.
      - Security Services Provider Interface, similar to GSSAPI.
   - The Service key is the password hash of the BCAAA service user.
      - If running as a local system, this is the machine account password.