Kerberos Protocol? Is this correct?

I'm reading what *Kerberos : The Definitive Guide*, the original paper from *Xerox (Needham - Schroeder)* , MIT site and Wikipedia . **I'm having some challenges putting the protocol together. Is this correct? Is there some other documentation on it?** I tried to follow the Xerox Articles "Protocol 1" closer as they seem to show the **protocol** in more detail. I omit the PKE, case (pkinit) for now that will be another post. **Kerberos 5 : Needham - Schroeder Protocol** A = *Client Principal* A, B = *Server Principal* B, AS = *Authentication Server*, I = *time*, A->B : {G, H, I} = *A sends message to B with contents {...}*. {B}^{KA} = *Key A encrypts {B}*. CK_AB = *conversations session key between A and B*. Requesting a ticket to another service, start with TGS Ticket Granting Server. Client Authentication to AS: 1. Initial request when client has no tickets or tickets are expired, B = "krbtgt/REALM@REALM" client principal (Ticket Granting Server TGS), use *kinit* sends to KDC. 2. **A -> AS : {A, B, I_a, I_max}** : AS_REQ 3. AS verifies that B principal exists and time stamp I is close to local time. Grants ticket or throws error In AS_RESP. Assume no error here. 4. Authentication server responds with timestamp I, B/TGS Principal, Session Key CK_AB for A and B, Ticket Granting Ticket (TGT) encrypted with KB_KTGS. 5. **AS -> A : {I_a, I_max, B, CK_AB, {CK_AB, A, I_a, I_max}^{KB}}^{KA}** : AS_REP 6. Ticket Granting Ticket TGT = **{CK_AB, A, I_a, I_max}^{KB}**, and **CK, I** can be stored in client's local *credential cache*. See below on caching protocol change. 7. Make request to Ticket Granting Server TGS using the *authenticator* {CK_AB, A, I_a, I_max}^{KB}. 8. **A->B : {CK_AB, A, I_a, I_max}^{KB}** : TGS_REQA 9. Now continue with *Reply Attack Prevention*. This is as documented by *Xerox paper*: 10. **B->A : {I_b}^{CK_AB}** : TGS_REQB : Where B/TGS and I_b is the ticket lifetime 11. **A->B : {I_b - 1}^{CK_AB}** : TGS_REQB This is as documented by *The Definitive Guide*: 10. **A->B : {1_b}^{CK_AB}** : TGS_REQB 11. **B->A : {1_b + 1}^{CK_AB}** : TGS_REQB Client A Service Authorization request to TGS to access service from C: 12. **A->B: {A, C, I_a, {CK_AB, A, I_a, I_max}^{KB}}^CK_AB** : TGS_REQC 13. TGS/B creates new session key for A and C to communicate CK_AC is created and sent in reply. 14. **B->A: {CK_AC, I_c, {CK_AC, A, A_IP, I}^{KC}}^CK_AB** : TGS_REP Client A Service Request to C: 15. Client has session key **{CK_AC, I_c, {CK_AC, A, I}^{KC}}^CK_AB** 16. Client sends Authenticator to Application Server 17. **A->C: {A, C, I_a, {CK_AC, A, I}^{KC}}^CK_AC** : AP_REQ 18. Server provides requested services to client. : AP_REP Steps if CK is kept in client credential cache, reduces protocol steps to 3. Reduces compute on AS to generate {I_a, B, CK, {CK,A}^KB}^KA and client to decrypt and network traffic: 1. **A->B : {CK_AB, A}^KB, {I_A2}^CK_AB** 2. **B->A : {I_A2 - 1, I_B}^CK_AB** 3. **A->B : {I_B - 1}^CK_AB**