Overview #
Kerberos Authentication Service (AS Exchange) is between the Client-Principal and the Kerberos Authentication Server is initiated when a Client-Principal wishes to obtain authentication credentials for a given resource but currently holds no credentials.
The AS Exchange is the Kerberos Ticket Granting Ticket (TGT) request and response sent from the client to the Key Distribution Center (KDC).
If the AS Exchange is successful, the client is provided with a Ticket Granting Ticket (TGT).
Kerberos Authentication Service does NOT verify that the Client-Principal issuing a request is a valid client, Kerberos Authentication Service sends a blind response a of a TGT that an attacker won't be able to process if he does not have the Client-Principal's password.
The Kerberos Authentication Service is a component of a Kerberos system which authenticates clients, and TGT that the client can send to the TGS to get a Client-To-Server Ticket.
In its basic form, the Client-Principal's Secret-key is used for encryption and decryption. This exchange is typically used at the initiation of a login session to obtain credentials for a Ticket Granting Service which will subsequently be used to obtain credentials for other Service Providers without requiring further use of the Client-Principal's secret-key.
The Kerberos Authentication Service exchange may also used to request credentials for services that must not be mediated through the Ticket Granting Service, but rather require knowledge of a Client-Principal's Secret-key, such as the password change service (the password-changing service denies requests unless the requester can demonstrate knowledge of the user's old password; requiring this knowledge prevents unauthorized password changes by someone walking up to an unattended session).