The principals involved in the Kerberos model are the user, the client, the key-distribution-center, the ticket-granting-service, and the server providing the requested service. The client acts on the user's behalf and allows the Kerberos communications and computations to be transparent to the user (unless, of course, there is an error, or a ticket expires). Both the client and the ticket-granting-service must trust that the key-distribution-center provided the client with the correct secret key of the user. Once the key-distribution-center provides the client with a ticket for the ticket-granting-service, the key-distribution-center need not be involved in further communications. The ticket-granting-service and the key-distribution-center usually reside on the same machine, with the ticket-granting-service having read-only access to the secret key database. This is so the ticket-granting-service can obtain a server's secret key in order to create a client/server ticket. Having these two principals residing on the same machine eliminates the need for the ticket-granting-service to obtain secret key information over the network, and takes advantage of the strong physical protection mechanisms used to protect the key-distribution-center.