In Kerberos there are two items needed to prove authentication. The first is the ticket, the second is the authenticator. The ticket consists of the requested servername, the clientname, the address of the client, the time the ticket was issued, the lifetime of the ticket, the session key to be used between the client and the server, and some other fields. The ticket is encrypted using the server's secret key, and thus cannot be correctly decrypted by the user. If the server can properly decrypt the ticket, when it is presented by the client, and the client presents the authenticator encrypted using the session key contained in the ticket, the server can have confidence that the user is who he claims to be.
The authenticator contains the clientname, the address, current time, and some other fields. The authenticator is encrypted by the client using the session key shared with the server. The authenticator provides a time-validation for the credential. If a user possesses both the proper credential and the authenticator encrypted with the correct session key, and presents these items within the lifetime of the ticket, then the user's identity can be authenticated.