AS-REQ: Authentication Server Request (User to KDC)
user requests TGT from KDC with encrypted timestamp (pre-authentication)
- Message 1 to AS; cleartext
- Username / ID
- Service name / ID
- User IP
- Requested lifetime for TGT (might be ignored based on policy)
- Message 2 to AS: timestamp; encrypted with client password-derived key
- Kerberos requires the user to submit a timestamp for pre-authentication
- This feature is enabled by default