How does authentication and logon work on Windows with Kerberos? What I want to achieve is to logon a user on a server and run a process for that user.

As a first step, I create a Kerberos ticket on the client and send it to the server. On the server, I do not know the API to logon the user given its ticket. Of course I can accept the security context using AcceptSecurityContext (SSPI), but that does not initiate a logon.

I think that some SSH implementations for Windows do exactly that. But I want to know how and what API they probably use?

There are a few ways you can do this. You do need to call AcceptSecurityContext on the ticket to get a security context. This is what bootstraps everything in Windows. From there you can do a couple different things.

Usually you call ImpersonateSecurityContext so the current thread understands what user it thinks it needs to be. After that you can call QuerySecurityContextToken to get a Windows access token handle. With this handle you then call CreateProcessAsUser. You can also tell it to do things like load the profile if necessary.

This doesn't really do a logon like LogonUserX does, but it effectively starts a process as that user, which is usually what people are looking to accomplish.