Overview #Kerberos Authentication Service (AS Exchange) is between the Client-Principal and the Kerberos Authentication Server is initiated when a Client-Principal wishes to obtain authentication credentials for a given resource but currently holds no credentials.
Kerberos Authentication Service does NOT verify that the Client-Principal issuing a request is a valid client, Kerberos Authentication Service sends a blind response a of a TGT that an attacker won't be able to process if he does not have the Client-Principal's password.
In its basic form, the Client-Principal's Secret-key is used for encryption and decryption. This exchange is typically used at the initiation of a login session to obtain credentials for a Ticket Granting Service which will subsequently be used to obtain credentials for other Service Providers without requiring further use of the Client-Principal's secret-key.
The Kerberos Authentication Service exchange may also used to request credentials for services that must not be mediated through the Ticket Granting Service, but rather require knowledge of a Client-Principal's Secret-key, such as the password change service (the password-changing service denies requests unless the requester can demonstrate knowledge of the user's old password; requiring this knowledge prevents unauthorized password changes by someone walking up to an unattended session).