In CAS you have Ticket Granting Tickets (TGT) and Service Tickets (ST). I don't see why you need STs if you already have a TGT. You can simply validate the TGT and return a green light for authorization to the client for the owner of the TGT.
So why do we need an additonal ticket next to the TGT called ST ?
In the Kerberos world, service tickets (STs) provide access to application services such as, for example, an HTTP or SSH service running on some server. The actual HTTP or SSH service in such an example is considered a protected resource - you must prove your identity to that service by providing a Kerberos service ticket. Now, lets walk one step back a bit. In order to get any service tickets from the KDC, you must possess a TGT. The TGT is the mechanism in which the Kerberos client proves it's identity to the KDC, in order to get STs, and the ST the mechanism in which the Kerberos client proves it's identity to the target resource (application server). Application servers don't validate TGTs of the Kerberos client, they validate STs. The Kerberos client can be either a user, a computer, or even a service. While Kerberos is portable to any over-arching authentication framework architecture, it was architected for use inside of internal networks and not over the web. Reference: Kerberos: An Authentication Service for Computer Networks