1. The browser sends a request to the web server.

2. The web server replies with unauthorized and proposes negotiations.

3. The browser decides to go with Kerberos (because configured). The browser takes the client ticket from the local ticket cache, and uses that ticket to request a service ticket for HTTP/tomcat01@PLANON.COM from the domain controller.

4. The domain controller validates the client ticket and returns the service ticket.

5. The browser sends a login request to the web server.

6. The web server verifies the ticket of the client against the keytab.

7. If the ticket is validated, the server accepts the login request.