Hi @鴻明 劉 ,
This network traffic is normal for a TGT exchange, the client will first try and connect without authentication and pre-authentation required response is sent from the server with the accepted authentication methods, client then tries again with a supported authentication method.
You don't really need to have the TGT ticket cached before the user accesses the service. If the service is setup to use Kerberos, the client will request the required TGT and TGS tickets. You just need to make sure you have the correct SPN configured on the service.
Here are some examples of SPNs https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx