From Kerberos architecture perspective, according to this graph during TGS_REP Client gets a service ticket which is encrypted using TGS session key. After that Client takes the service ticket to Application Server to get a service.
I have seen that some document said that there is no interaction between TGS and application server. So my question is how Application Server decrypt the service ticket without TGS session key to verify the correctness of the service ticket?
