decode response into resp; if (resp.msg-type = KRB_ERROR) then process_error(resp); return; endif /* On error, discard the response, and zero the session key from the response immediately */ if (req.padata.authenticator.subkey) unencrypted part of resp := decode of decrypt of resp.enc-part using resp.enc-part.etype and subkey; else unencrypted part of resp := decode of decrypt of resp.enc-part using resp.enc-part.etype and tgt's session key; if (common_as_rep_tgs_rep_checks fail) then destroy resp.key; return error; endif check authorization_data as necessary; save_for_later(ticket,session,client,server,times,flags);