How kerberos works

It took me a long time to understand exactly how kerberos works, and being a visual person, I thought an explanatory video might help others in the same boat. A rough transcript of the video appears below:

In this case the DC has the role of Key Distribution Centre (KDC) and also maintains the Authentication Server service (AS Server) and Ticket Granting Server (TGS) but that doesn't have to be the case.

An AS request is sent to the KDC with a timestamp encrypted with the user's password hash. The hash and timestamp are checked to prevent replay attacks. The server sends back an AS Reply which includes a session key encrypted with the user's hash, and a ticket-granting ticket, encrypted with the TGS key. The client has now been authenticated for 10 hours, after which automatic renewal will occur. Authentication has finished.

To use a service the client first sends another, Ticket-Granting Service request with user, session-key-encrypted timestamp, SPN of the resource and the encrypted TGT to the KDC. The KDC decrypts the TGT using the secret key only it knows. It checks;
The timestamp
The request user matches the original TGT user
The client IP matched the Ticket IP

A Ticket Granting Server Reply is returned with the SPN, a session key, a service ticket with username, group memberships and session key.

The client then sends the SPN server an Application Request. It checks the user details and then assigns the user the group memberships that are specified in the ticket