Slightly confused by user-to-user authentication...

[checker]

Hi, I am new to Kerberos, and I'm planning to use it for authentication for a video game I'm writing where clients talk to servers, but also other clients.  I'd like to authenticate in all directions, so client<->server and client<->client.  Being a kerberos noob, I was assuming the servers would have the usual keytab files and service principals, and then I was assuming the clients would get tickets for talking to each other from the TGS, so a at FOO.COM would get a service ticket for b at FOO.COM and vice versa.  But, I happened across the user-to-user credentials stuff, and this seems like it's the better way to go because it doesn't require both clients to talk to the TGS, and it establishes just one session key for both, rather than having two?  So, since both clients will have tgts, I pick one to talk to the KDC to get the user-to-user credentials and then they can authn each other?

Is that the right way to do this?  Is there anything to look out for here?

Thanks,
Chris