Figure 2 The client receives the information in this encrypted reply, and because it was encrypted with the client's key, it is capable of decrypting it. This gives the client its session key and a TGT that is still encrypted by the key of the TGS.