Issued by the TGS, it is used to identify to a service such as OWA email that a principal is who they say they are. It contains:

  • username/ID
  • http service name/ID
  • network address (list of IP addresses or null)
  • timestamp
  • lifetime of validity
  • HTTP service session key