Overview #The Authentication Service (AS) Exchange between the Client-Principal and the Kerberos Authentication Server is initiated when a Client-Principal wishes to obtain authentication credentials for a given server but currently holds no credentials.
AS does not verify that the Client-Principal issuing a request is a valid client, it blindly returns a ticket that an attacker won't be able to process if he does not have the Client-Principal's password.
In its basic form, the Client-Principal's secret key is used for encryption and decryption. This exchange is typically used at the initiation of a login session to obtain credentials for a Ticket-Granting Server, which will subsequently be used to obtain credentials for other services without requiring further use of the Client-Principal's secret key.
The AS exchange may also used to request credentials for services that must not be mediated through the Ticket-Granting Service, but rather require knowledge of a Client-Principal's secret key, such as the password change service (the password-changing service denies requests unless the requester can demonstrate knowledge of the user's old password; requiring this knowledge prevents unauthorized password changes by someone walking up to an unattended session).AS-REQ-REP shows details of the operations.