This document describes what happens when a user logs into the Cisco information Server (CIS) via Kerberos authentication for the first time.
When the Kerberos ticket is authenticated by CIS, must CIS do a LDAP lookup for the list of groups the user belongs to or is that included in the TGT?
Kerberos is only for authentication and not for authorization.
Once the user is authenticated, then the user's groups are fetched from Lightweight Directory Access Protocol (LDAP) by CIS. Also when you register the LDAP as an external domain, you importe some external groups into CIS.
Once CIS gets the users groups from LDAP, it matches the user's groups with the already configured privileges for the external groups in CIS in order to determine what resources the user is authorized to access.
The Ticket-Granting-Ticket (TGT) does not have the user's group information. TGT is only used for authentication.